Advertlets Review: Round 2..Still Considered Broken
Josh Lim and Zaki of Advertlets took the time to comment on my review post on Advertlets but I still stand by my observation that the login functionality of http://advertlets.com is a broken one.
You can try out my previous scenario mentioned in my review post here, but now this is a brand new scenario, which I've mentioned in the comments section but am putting it up in a new post. Not too difficult to execute but definitely a curve ball for Advertlets' development and testing teams:
You can try out my previous scenario mentioned in my review post here, but now this is a brand new scenario, which I've mentioned in the comments section but am putting it up in a new post. Not too difficult to execute but definitely a curve ball for Advertlets' development and testing teams:
- User A logins successfully to Advertlets via http://advertlets.com
- User A closes his browser, in this case it's Firefox. Doesn't matter if you close all Firefox windows, just as long as you close the one showing Advertlets on it.
- User B goes to User A's computer, fires up Firefox and goes to http://advertlets.com, and keys in tom dick and harry user information e.g. wrong username and password.
Now.. guess what happens? Despite the wrong login info, User B will now be logged-in as User A in Advertlets.
I'm going to say the same thing as I've mentioned in the comments section of my earlier post. If Google Adsense was to display such tendencies... I would flip.
Do note that I don't have two Advertlets accounts, so I don't have the opportunity to test the scenario whereby User B enters valid User B information and logs in.
I'm going to say the same thing as I've mentioned in the comments section of my earlier post. If Google Adsense was to display such tendencies... I would flip.
Do note that I don't have two Advertlets accounts, so I don't have the opportunity to test the scenario whereby User B enters valid User B information and logs in.
7 comments:
tokyo_nights, all I can say is that you are a very brave man.
Hello,
Happy to say that the problem as described by you is fixed now, as promised, within 12 hours. We're also tweaking a few other issues we've found as well, but so far its nothing critical that would compromise your password, user details, or earnings.
Do let us know if you spot anything else, you can drop me an e-mail too.
Cheers!
Fixed by redirecting traffic from http://advertlets.com to http://www.advertlets.com?
This is a jury rigged solution at best and although it works for the time being, you really should have your staff looking into your codes on how you utilise cookies/sessions.
@tenthofmarch: you are very brave too :)
These people should get a better programmers. :)
Redirecting advertlets.com to www.advertlets.com is the easiest "way out" for this. I hope there are other things changed at the backend that we can't see. There is no way anyone can verify if there is but lets just have faith in whatever their reply is.
tokyo_nights, do keep us updated if you manage to find anything else. They wouldn't want me in their system again. ;-)
jasonmumbles: Let's just say that the old programmer is now unemployed, and that the bug was a remnant of the old system. We forsee our new programmer fixing a lot of the bugs left behind from last time :)
To summarize, basically the bug was that after someone logged in at www.advertlets.com and *didn't log out*, and then someone else logged in to http://advertlets.com (without the www). After you login the second time, its redirected - and since its on http:// instead of www, the cookie cannot be traced - therefore it just read the old cookie after the redirect.
In English, it basically means that the problem was that there was another way to log in, after already logging in. This isn't strictly a "hack" per se, the vulnerability will only be if one does not log out.
Security wise, as some of you might remember, sometime back there was an open invitation to hack our system posted up. Not quite the beta test we had in mind, but despite a lot of tries, no one managed to hack anything or access anything besides their own account like a normal user.
Anyway, its fixed now, but generally, as most people would know, its good practice to log out, and not to use the same password for everything :)
We will be implementing stricter authentication processes in future, so even if one forgets to log out we will have it covered. Thanks.
Post a Comment