mysociety / fixmytransport

A site focussed on connecting and empowering people who share transport problems of different kinds.
http://www.mysociety.org/2010/03/15/mysocietys-next-12-months-fixmytransport-and-project-fosbury/
Other
37 stars 10 forks source link

Questionnaire URL in support email allowed me to be logged in as user #691

Closed MyfanwyNixon closed 12 years ago

MyfanwyNixon commented 12 years ago

We received a support email indicating that the user had been on a questionnaire page when he submitted feedback - url /q/jntv64z8*****

I followed the link to see which campaign he was talking about, and as a result became logged in as him. I remained logged in as I browsed the site.

This strikes me as a potential security breach, although, presumbly a small one if it's only the team who'd ever see it?

crowbot commented 12 years ago

This is intentional behaviour - as ever, there's a tradeoff between security and convenience, and we've decided on the side of convenience in this case.