search

Automattic / simplenote-electron

Simplenote for Web, Windows, and Linux
https://app.simplenote.com
GNU General Public License v2.0
4.81k stars 558 forks source link

⚠P0 - Session Misrouting / Identity Mix-Up / User Data Crossover Issue #3247

Closed AlgorithmExperiments closed 1 month ago

AlgorithmExperiments commented 2 months ago

⚠IDENTITY MIX-UP / SESSION MISROUTING / USER DATA CROSSOVER ISSUE

Priority: likely P0 issue Affecting: Actively affecting browser sessions (using manual user/password login option) at app.simplenote.com Upon login, user sessions for electron web app are currently fetching the incorrect user's data for some users. First noticed Aug 16 2024, and saw another user also posted an alert earlier today on the simplenote help forums.

Expected

User is shown their own user data upon login

Observed

❗ User is shown the wrong user's data (including wrong email address) upon login, with full access to all of that user's private notes. Immediately logged out of web app, used mobile app to export all personal data (Android session data still seemed intact), then used mobile app to delete account.

Reproduced

  1. Go to: https://www.app.simplenote.com
  2. Login via manual email/password login
  3. Incorrect user data is shown (sometimes even displaying the incorrect user's email address in popup modal dialog that requests the user to either 'confirm' or 'change' their email address - clicking 'change' takes user to a settings page which my actually show the correct user email address - pressing button to return to notes again surfaces the incorrect user's notes.)

📸 screenshots omitted to preserve user's privacy - redacted photo proof available upon request

Where did you see the bug

jurakovic commented 2 months ago

I am experiencing this bug now. I login and get notes written in cyrillic by some Dmitry. I don't even want to think about what would happen if anyone gets my notes. Whose responsibility is this?! Fix this ASAP

AlgorithmExperiments commented 2 months ago

Related support forum thread:

🔗 https://forums.simplenote.com/forums/topic/simplenote-security-breach-tonight/

codebykat commented 1 month ago

Thanks for the reports, y'all, and sorry for the mix-up. This has been addressed.