mhl
commented
10 years ago Just for the record, there has been a similar complaint with regard to FixMyStreet:
Closed RichardTaylor closed 6 years ago
mhl
commented
10 years ago Just for the record, there has been a similar complaint with regard to FixMyStreet:
garethrees
commented
10 years ago I just noticed an instance of this.
Perhaps we could look at making the login token single use, so once the link has been clicked (likely by the account owner) any further shares of it would redirect to a login page?
crowbot
commented
10 years ago There's a tradeoff between the convenience of being able to go back and use that link again though.
RichardTaylor
commented
10 years ago I note there's a BBC News Article on Dropbox's use of similar links
http://www.bbc.co.uk/news/technology-27285786
The focus there is the links leaking out via referrals and people putting them into Google as a search terms resulting in them being reported to advertisers.
My view is the question is one of if these kinds of links are culturally acceptable and understood by users.
I think people are used to lots of services having a visibility setting of "anyone with the link" eg. Google Docs / YouTube.
I think the links are OK but need to be well labelled to explain what they are.
kingqueen3065
commented
9 years ago This just happened to me; I used the batch request feature for the first time and noticed that the link sent to me automatically logged me in. I assumed it was a bug. I agree that where such links are sent out, the software should make sure that the user is entirely clear that the link automatically logs in anybody who clicks on it. Otherwise it's a big security hole.
garethrees
commented
9 years ago This came up in AlaveteliCon 2015. The consensus seemed to be that the existing behaviour is pretty dangerous.
crowbot
commented
8 years ago Comments from @FOIMonkey:
We've just had an instance of a user accidentally making an FOI request whilst logged in as, and so in the name of, another user. This was likely caused by a user forwarding an email received about their request to another person, who was then logged into the first users account automatically without the second person realising by clicking on the link in the email. We have had problems in the past with users copying these links out of emails and pasting them into social media posts, which hands control of their account to the world at large.
Questions/suggestions
Are auto login links helpful and necessary?
Should these work only one time/be strictly time limited?
Is there a potential for this to happen to an admin account?I can't work out if this thread is open or not. But anyway,
I think users will not generally expect to be automatically logged in from a link in an email; this is rare in other websites, I've not come across it anywhere else. I think the benefit of this is questionable, as generally people will be logged in due to a retained cookie or will expect to have to log in, which isn't a big hassle. I think the risk of having such links is substantial, as has been demonstrated by the small number of cases in which a user has accidentally made FOI requests using somebody else's account. I think that it would be best to remove this functionality, i.e. to just supply a link to the request, and that in the meantime the templates for emails should be amended to make it totally clear that the link automatically logs the clicker in.
kingqueen3065
commented
8 years ago We have just had reported to us another example of this security problem.
It is my contention that these links cause considerably more trouble than they relieve. People are used to having to log in; a link requiring them to log in before they get to the relevant page, if they aren't already logged in, is not a major barrier.
I think:
1) these links should not be used 2) if they are used, there should be very clear warnings not to forward them on to others.
RichardTaylor
commented
3 years ago Just to note we've had a user write to WhatDoTheyKnow apparently suggesting links to their requests which the system emails them should automatically log them in!
In this instance the email in question was one prompting the user to chase up an overdue request.
A user on WhatDoTheyKnow appears to have shared one of the links given in some emails the system sends to users and been surprised when the person who was sent the link has been logged into their account when they used the link.
Certain links in email messages from Alaveteli site do automatically login those who use them.
These are the links of the form:
https://www.whatdotheyknow.com/c/[long alphanumeric code]
That these links should not be shared with others is perhaps something we should make more clear to our users.
This is the first time this has been raised as a problem; so this could be a one off report of a problem which is not widespread.