h2g2 The Hitchhiker's Guide to the Galaxy: Earth Edition

This, believe it or not, is Whisky (U180644) I'm speaking to you from an account I do not own and should have no access to...

Opened my browser this morning (which automatically logs me in using cookies.

First thing I noticed was that there was no (X new postings) link on my MP page...

The first time I tried to post, the system sent me to a page saying my password had been incorrectly entered three times and asked me my secret question, I answered my secret question and found myself logged into this account.

Now, unless someone has had access to this computer, at sometime between 22:00 last night and 08:00 this morning, when it was in a locked office... Something's seriously wrong with the system...

I'm now going to log out and try to log back in with my own ID

Ok, I appear to be back - but that's one serious bug

That, and a novel excuse for a sock puppet.

I reckon details of security issues should probably be e-mailed directly to the Eds rather than posted here - what do you think?

> "a novel excuse for a sock puppet."

That's really not an account anyone should want to lay claim to!

I've quite enough secondary accounts without laying claim to that one

(Plus - I can spell better than that guy)

Ah, it's another of the same name and not quite as bad as it might have been. The "bug" is very bad though. It would be rather an odd coincidence for Whisky to have exactly the same security question-answer as someone else.

>>>It would be rather an odd coincidence for Whisky to have exactly the same security question-answer as someone else.

It'd be a ruddy miracle a) The question itself doesn't make logical sense and to get the answer you'd probably have to 'brute force' it, entering half the dictionary - (unless you were one of two people on this planet - me or my son - and my son wasn't in my office last night )

Oh and as to keeping this off-site... As I've test posted to my own PS with that other account, I'd like to keep some on-site, public record of what happened so that when (or if) the guy comes back he can follow what's happened to his account.

Nothing that's been posted yet _should_ make it possible for someone to deliberately reproduce this.

Yes, I agree that you haven't posted anything that would assist a breach. I just wanted people to think twice before they posted.

Now, that's funny.

I often get messages telling me my password's been entered incorrectly three times, and asking me for the answer to my 'secret question'. I can then log in fine, although I get a 'change password' prompt.

I know that no-one's been trying to log in on this machine though - I'm the only one with access to it.

Wonder if the problem's related.

I'd forgotten about that bit - I got the "change password" bit too... and I typed in my existing password in the second box (the first one still had the right number of ****** in it)

So, with my password and my secret question I managed to get into someone else's account

I would guess that person is now stuffed and won't be able to use their own account (unless perhaps if they get in via cookie rather than password).

Don't know, the one thing I didn't notice was their login name as opposed to their screen name...

Having said that - I'm now sort of worried that if this guy does manage to log in and check his preferences - is he going to have open access to _my_ password and secret question...

Hmmm... It'd be nice to get a response to this one.

>>>It'd be nice to get a response to this one.

Scrub that - I'll settle for finding out if anyone has seen this one for the time being...

I know of one person whinging last year that someone (mostly blames the BBC) took and blocked their previous account. But they are the very model of an unreliable witness. So it's hard to pick out anything much that makes sense from their complaints.

If it was happening a lot, eg some (new-ish) systematic error, there ought to be more reports. How difficult was it for you to recognise that you were in the wrong account? Can you conceive of anyone much simply carrying on regardless?

There's no obvious match in U-numbers between your account and the one you accidentally got (like the wrap round previously known to exist) to explain the initial error. But there could be a bug in the SSO extra info verification if it doesn't get used much and wasn't well tested on every software change.

Well, I noticed it because on logging in it took me to the other guy's personal space, which a) was blank and b) wasn't subscribed to the same conversations as me...

However, if it'd been someone else's page, who was also subscribed to Askh2g2 and PR (the two most prolific fora I'm subscribed to) I might not have noticed until I'd posted and seen the name at the top of the post.

(I did notice the login name was screwy - but Ignored that when logging in)

As both my page and the other guy's appear in Brunel, you tend not to see the actual contents of the page - just the conversation lists - but I do find it hard to imagine you'd continue unaware for more than one or two posts.

Traveller in Time logging in and out on other accounts
"I have not noticed anything, nor heard of this before. "

To be honest - If I hadn't seen it with my own eyes - and managed to post under the other account - I wouldn't have believed it possible