Bug #34952 Easy to over take someone's account
Submitted: 29 Feb 2008 4:06 Modified: 3 Mar 2008 21:23
Reporter: Diego Medina Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Websites: MySQLForge Severity:S1 (Critical)
Version:forge1.mysql.com OS:Any
Assigned to: CPU Architecture:Any
Tags: login
Triage: D2 (Serious)

[29 Feb 2008 4:06] Diego Medina
Description:
if you know the email address of someone with an account on the forge, go a register the same email address and you will be the new owner of that account.

How to repeat:
Create a new account and fill in the fields with anything you want, but just make sure you use someone else's email address.

And you will see that you are going to be logged in with no problems under the already used email address.

Suggested fix:
make sure email address was not already used.
[29 Feb 2008 5:43] Giuseppe Maxia
Thanks for your bug report.
Verified as described.
[29 Feb 2008 5:43] Valeriy Kravchuk
Thank you for a problem report. 

I was able to created 2nd account with the same email address but different password and other attributed. When I tried to login, though, only the the password for initial account with that email address worked. But(!) I was logged in then with "Display Name" of 2nd account. Do you see the same behaviour?
[29 Feb 2008 15:45] Diego Medina
Yes, I had to use the first password but it does show the second "display name"

The only way I found so far to login without knowing the password is to create a new account using that email address once again.
[29 Feb 2008 16:49] Valeriy Kravchuk
Anyway, this is a bug.
[3 Mar 2008 18:35] Jay Pipes
Hi!  I'm checking into this.  For what it's worth, the table in question has a unique index on the email address field, so no two accounts can be created using the same email address.

Likely, what is happening is that instead of error-ing out with a message saying "Email already in use", the account with that email is being overwritten with the new account information, essentially bonding the old account with the new user.... :(

Anyway, I should have this figured out shortly...

Cheers.
[3 Mar 2008 20:11] Jay Pipes
Since this is a critical bug, I would like to get feedback on whether the patch I just pushed fixes all these issues.  I cannot now reproduce the issues on my local environment.  Please test on forge1.mysql.com and let me know if you can repeat the bug's behaviour.  If not, I will close this.

Patches in r378.
[3 Mar 2008 21:23] Diego Medina
Yep, it is fixed now.