Bug #34952 | Easy to over take someone's account | ||
---|---|---|---|
Submitted: | 29 Feb 2008 4:06 | Modified: | 3 Mar 2008 21:23 |
Reporter: | Diego Medina | Email Updates: | |
Status: | Closed | Impact on me: | |
Category: | MySQL Websites: MySQLForge | Severity: | S1 (Critical) |
Version: | forge1.mysql.com | OS: | Any |
Assigned to: | CPU Architecture: | Any | |
Tags: | login |
[29 Feb 2008 4:06]
Diego Medina
[29 Feb 2008 5:43]
Giuseppe Maxia
Thanks for your bug report. Verified as described.
[29 Feb 2008 5:43]
Valeriy Kravchuk
Thank you for a problem report. I was able to created 2nd account with the same email address but different password and other attributed. When I tried to login, though, only the the password for initial account with that email address worked. But(!) I was logged in then with "Display Name" of 2nd account. Do you see the same behaviour?
[29 Feb 2008 15:45]
Diego Medina
Yes, I had to use the first password but it does show the second "display name" The only way I found so far to login without knowing the password is to create a new account using that email address once again.
[29 Feb 2008 16:49]
Valeriy Kravchuk
Anyway, this is a bug.
[3 Mar 2008 18:35]
Jay Pipes
Hi! I'm checking into this. For what it's worth, the table in question has a unique index on the email address field, so no two accounts can be created using the same email address. Likely, what is happening is that instead of error-ing out with a message saying "Email already in use", the account with that email is being overwritten with the new account information, essentially bonding the old account with the new user.... :( Anyway, I should have this figured out shortly... Cheers.
[3 Mar 2008 20:11]
Jay Pipes
Since this is a critical bug, I would like to get feedback on whether the patch I just pushed fixes all these issues. I cannot now reproduce the issues on my local environment. Please test on forge1.mysql.com and let me know if you can repeat the bug's behaviour. If not, I will close this. Patches in r378.
[3 Mar 2008 21:23]
Diego Medina
Yep, it is fixed now.