Watch your Sedo Account!!

[Broker]

Someone PM'd me here the other day and told me they clicked on my auction link to a name I have at auction and was put right into my account. They informed me they logged out right away and PM'd me the warning.

I just went to sedo.com to check my name at auction and I was automatically put into someones account. Their name was Hai. Anyone here?

I emailed Hai as I had all of his domains in the domain managment area right in front of me. Did a whois on one of them and got his email address.

Sent him the email and a screen capture of his account. You can see it attached.

Thoughts anyone? Whats going on sedo?

HasRob..........

 

[oKiAo]

That is me. Thanks a lot for email me.
They seriously need to fix it.

*off topic: I am a her*

 

[mirrorcube]

Have you reported this to Sedo?

 

[Broker]

Your welcome, sorry about the he/her thing

Just glad your aware of it. No, I didnt report it because I thought it was just a fluke thing. I did change my password when I got the pm last week.

And yes, this needs to be fixed.

 

[oKiAo]

Your welcome, sorry about the he/her thing

Just glad your aware of it. No, I didnt report it because I thought it was just a fluke thing. I did change my password when I got the pm last week.

And yes, this needs to be fixed.

Thank for your email, else I wouldn't have any idea about this thing Changed my password just now. Don't know if that is going to fix anything at all. That is a huge security hole. :td:

Once again, thanks a lot for notify me.

 

[Broker]

No problem, I removed the attachment also.

 

[versu23]

Sedo is getting worse and worse.

 

[AzN]

Hmmm..
I was bored so I tested this.
I went on IE. Logged in. Opened up an auction.
Copy URL and open with FF. Usually the session is cookie based but with Sedo it is url based and I was suddenly logged in. :O
But I logged off with FF and refresh with IE and I was logged off.

So Sedo uses URL based sessions.

IF YOU PLACE YOUR URL TO AUCTION DELETE THE SESSION ID!!!

 

[oKiAo]

Hmmm..
I was bored so I tested this.
I went on IE. Logged in. Opened up an auction.
Copy URL and open with FF. Usually the session is cookie based but with Sedo it is url based and I was suddenly logged in. :O
But I logged off with FF and refresh with IE and I was logged off.

So Sedo uses URL based sessions.

IF YOU PLACE YOUR URL TO AUCTION DELETE THE SESSION ID!!!

Oooh. Brilliant! Thanks for the tip. I think I did place a sedo auction url earlier (not sure if it was logged in or not) Though I deleted that sedo in like 1 minutes after I posted as I misread one of the post. Though kinda low chance that HasRob clicked it?
Anyways, at least that clears up
Thanks again for the great tip. *writes down* I will make sure next delete session ID :hehe:

 

[Broker]

No I didnt click it. I went to sedo.com and was in your account. Very strange.

 

[oKiAo]

No I didnt click it. I went to sedo.com and was in your account. Very strange.

Thought so, the chance was too low anyway. Could it be possible to have duplicated sessions ID? I hope they will fix it as soon as possible. I don't like security holes.

 

[domainer50]

Thank you for letting us know. I only have 2 domains in sedo so im safe :wave:

 

[goodkarmaco]

Okiao,

You are very lucky sir that Hasrob is so honest!

Kudos Hasrob!

 

[-db-]

HasRob, that was very nice of you to research the owner (oKiAo) and notify them. :tu:

And thanks for bringing this situation to light. I'm going to send Mara (member 'sedo') a message and ask her to visit the thread. She's a great lady and always anxious to help.

 

[Zona]

Can you clarify something?

1. If you are logged into Sedo, start an auction, copy the link to your auction and paste the link onto NP, DNF, etc. is there a security issue with that?

2. Should you be OK with Sedo if logout after each session or might there still be issues?

 

[B33R]

Hmmm..
I was bored so I tested this.
I went on IE. Logged in. Opened up an auction.
Copy URL and open with FF. Usually the session is cookie based but with Sedo it is url based and I was suddenly logged in. :O
But I logged off with FF and refresh with IE and I was logged off.

So Sedo uses URL based sessions.

IF YOU PLACE YOUR URL TO AUCTION DELETE THE SESSION ID!!!

Wow, that's a major security hole. Hard to believe something quite so obvious could even exist, especially with a company like Sedo.

That still doesn't explain HasRob/oKiAo's situation though if he didn't click the link. I wonder how long the session ID is valid for, if you don't logout after.

Zona: Logging out doesn't allow access later using the method in Asian's post.

 

[Kate]

I've had the same thing recently. When sending a Sedo link be very careful not to include the session ID or anyone could access your Sedo account.

 

[cache]

what do you mean " anyone could access your Sedo account"?

I've had the same thing recently. When sending a Sedo link be very careful not to include the session ID or anyone could access your Sedo account.

 

[oKiAo]

what do you mean " anyone could access your Sedo account"?

Anyone that clicks on the links that have the session ID will be able to get into your domain management area.

 

[circa1850]

Anyone that clicks on the links that have the session ID will be able to get into your domain management area.

That is too damn scarey with 3000+/- domains.

Is this happening only on auction pages or general sedo listings, home page, etc.?

Anyone care to try?