User profile for user: Alvin777
Alvin777 Author
User level: Level 1
130 points

To the Admins: Possible Security Related Bug in discussions.apple.com Login

To the discussion/support site admins. There seems to be a security flaw in the Login of discussions.apple.com. If you logout and then you press login again, it automatically logs you in without entering any password or username. This could mean if you stopped using your computer but you're still on the discussion page and the next user clicked login, the person will be able to log in your account without entering any password or username. The only way to prevent that is to quit Safari (I'm not sure if it's the same with other browsers).

Please fix as soon as you can. Thank you.

Gbu.

iMac i7 Late 2009, Mac OS X (10.6.6)

Posted on Feb 25, 2011 6:45 AM

Reply
14 replies
User profile for user: Tuttle
Tuttle
User level: Level 7
29,565 points

Feb 25, 2011 9:14 AM in response to Alvin777

Proper place to ask this question is the Discussions Feedback forum:

http://discussions.apple.com/forum.jspa?forumID=1076

Session cookies are in use here. They are active from the time you log in until you close (quit) your browser. (Anomalies have been reported in some versions of some browsers where members are asked to log in multiple times without quitting their browsers.)

If you want to log out completely and securely without quitting your browser, then you should delete Apple Discussions-related cookies.
Reply
User profile for user: Alvin777
Alvin777 Author
User level: Level 1
130 points

Feb 25, 2011 4:31 PM in response to Barney-15E

I unchecked everything in the Autofill in Safari but it's still the same. I'm using 5.0.3.

Steps: Login, stay on the page where the categories are listed (the page just after logging in) then Logout then click Login again, it'll login without entering any password or screename. If you clicked a category and you're not on the main and then you logged out, sometimes the bug doesn't happen it seems.
Reply
User profile for user: baltwo
baltwo
User level: Level 9
62,386 points

Feb 25, 2011 4:40 PM in response to Alvin777

I suspect, since the page is cached and you can select Safari->History->Reopen Last Closed Page, that there's persistence. If that's correct, then logout, empty the cache, and try logging back in. If it still occurs, then the login info might be stored on the Server for some amount of time before it's deleted. If that's the case, quit Safari or change categories.
Reply
User profile for user: Peter Bannon
Peter Bannon
User level: Level 6
10,103 points

Feb 25, 2011 6:30 PM in response to baltwo

I have noticed this with Firefox. I log out of Discussions, go off to other pages, then decide to go back to Discussions. If I click on login at the right side of the main window, it will log me in without going to the ID-password page. Never thought of it as a problem. It only happens when a short period of time - a few minutes - has passed between log out and log back in. And not every time.

I would go with your temporary server cache suggestion. I don't remember this ever happening on another site, regardless of the time between logout and log back in -- even less than a minute.
Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

To the Admins: Possible Security Related Bug in discussions.apple.com Login

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up