Watch your Sedo Account!!

[Broker]

Someone PM'd me here the other day and told me they clicked on my auction link to a name I have at auction and was put right into my account. They informed me they logged out right away and PM'd me the warning.

I just went to sedo.com to check my name at auction and I was automatically put into someones account. Their name was Hai. Anyone here?

I emailed Hai as I had all of his domains in the domain managment area right in front of me. Did a whois on one of them and got his email address.

Sent him the email and a screen capture of his account. You can see it attached.

Thoughts anyone? Whats going on sedo?

HasRob..........

 

[DJ]

has anyone reported this to sedo yet? done, contacted via form.

very scary to see, thanks for the heads up!

 

[GoPC]

Happened to me as well... if you are LOGGED IN to your account, and pull up your auction, copy the link and post it... it will copy your user info in that link and therefore, anyone that clicks it appears to be YOU.

So, log out, then search your domain and copy the link. No User ID, no access.

It is a security glitch to be certain, but one that can be avoided if you are careful. Sedo does indeed need to fix this.

GoPC!

 

[oKiAo]

Hmm I checked my account today. (was looking for how to change a domain for not for sale to sale)
Then went to Payment Detail, and funny. My Paypal email address (selected payment method) has been changed. I would highly recommend anyone who has this happened to them to check their Payment Detail just to make sure.

Just realized I have another email notification on that day as well (besides that payment information got changed notice) and another email saying about Sedo Buyer Certification (which I never requested.) Do I need to email them that I never request or it will just expires if I don't send them any email required for Buyer Certi. ? Thanks

 

[italiandragon]

I clicked on a link provided from Hai and also have been able to see all her personal datas and all her domain names then I logged out.

The good thing is that if you are not a Certified Buyer then no one could have put you in troubles.

I think Sedo has a lot of work to do.

 

[Muhammad Mustafa]

hello every body
some ppl in IDNforum just discovered the hole during access to my account
to never have this big hole in your accounts any more even if you take the auction link while you are loged in to your account the link will be some thing like this:

https://sedo.com/auction/auction_detail.php?language=us&auction_id=4169&tracked=&partnerid=&session=5sdgg4rg845et4we8t45rg4e5rg45rg48
https://sedo.com/auction/auction_de...id=&session=5sdgg4rg845et4we8t45rg4e5rg45rg48

* (5sdgg4rg845et4we8t45rg4e5rg45rg48) isn't a session ID this is just for Clarification
the red colored number is the auction ID, the other colored part is the session id, any body will click the link while have the right to access your account as soon as you still opened your session .. to get out of this hole you will have to delete every thing after the red colored number, then the link will be like this:

https://sedo.com/auction/auction_detail.php?language=us&auction_id=4169
https://sedo.com/auction/auction_detail.php?language=us&auction_id=4169

the link will refer to your auction page without any rights to access your account OR the easiest way is to go to the auction page while YOU ARE NOT log in to your account copy the link, past it and you will not have any session IDs in it.

i sent the hole to Sedo and they replayed me with this answer:
**********
Hi Muhammad,



Thanks so much for getting in touch with us. I appreciate your notifying us of your perception of a security hole in our system. Although I am confident in the security of our site and marketplace, I will forward your message onto the technical department for their evaluation and consideration. If a security risk is deemed present, the appropriate changes will be made shortly. Again, thank you, and I hope you have a wonderful day!



Best regards,

Keith White
************

i hope this will help you to watch your Sedo accounts V. well, just do the steps i mentioned above and you won't have any holes with your accounts

versu23: Sedo isn't get worse, i see that they get better every day .. V. Good support, fast money transfer .. etc, all that happened as i see that the auction system they made is a little big and had a lot of features, then its so normal to have many security holes in it .. we found a security hole in vBulletin and Nuke every minute

 

[Broker]

Feel the need to repeat myself, I under the issue with the auction link.

The thread started because....................

I went to www.sedo.com and was automatically into Hai's account. I did not click on any auction link.

Sedo has a bigger security problem then they think imho.

HasRob.........

 

[Sedo]

Hi All,

I've asked our technical team to look into the issue that has been described. I will let you know when I have an update on the information. Thanks for bringing this to my attention.

Best,
Mara

 

[DJ]

Thanks Mara, please keep us updated on the progress.

 

[Jeffrey]

That is very dangerous. What if you have an income in thousands of dollars in there?! they need to fix this right away!

 

[Sedo]

Hi All,

Thanks for bringing this to our attention. Our technical team is working on it right now.

I would recommend logging out of your account before copying a URL. This will close the session so others are not able to access your account.

Best,
Mara

 

[Lasher]

Hi All,

Thanks for bringing this to our attention. Our technical team is working on it right now.

I would recommend logging out of your account before copying a URL. This will close the session so others are not able to access your account.

Best,
Mara

It will stop people accessing that specific account, but now that this issue is known it isn't going to stop people scanning for valid session IDs.

While the board is full of negativity towards Sedo lately I've actually seen things improve - Sedo Pro is a massive improvement over the old parking and my 6 sales last month were all processed within days. This problem however is unforgivable, this is basic web coding and one of the oldest tricks in the book right up there with buffer overflows. Mara, I'd strongly recommend you suggest the Sedo senior management hire a security company to do a full review of this incident and the Sedo site in general ... it's not my place to tell you someone needs firing, you need to pay someone who does the job I used to 15k or so to tell you that

 

[Sedo]

Hi,

I’m back with an update!

We recently introduced cookies to the Sedo website. This allows sessions to be saved to the user’s computer and increases security for our members. More information regarding this update can be found in Sedo’s FAQ at http://www.sedo.com/faq/index.php?action=show&cat=151&tracked=&partnerid=&language=us

Please get in touch with me if you have any questions.

Best,
Mara
[email protected]