question

negus11 avatar image
0 Likes"
negus11 asked ·

I am posting this question with an account that is not mine. How did I get signed in as this person?

I am currently signed in on developer.ebay.com as my correct developer account. When I click on Community > API Forums and then click Login on the resulting screen, I am automatically logged in as a user named negus11 with access to his email address, forum details, 'about me', etc. I seem to be unable to log in as myself. My own account is dtakahas. This seems like a serious breach to me and I would be horrified to see someone else posting as me, changing my details. Please respond.
bugsecurity
10 |600 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

helios825 avatar image
0 Likes"
helios825 answered ·
Your eBay Developer account won't log you in here on the forums. Your regular eBay buyer/seller account will. So if you're logged in here as "negus11", then you're logged in to all of eBay as that person. Check your My eBay, other eBay forums, other eBay areas, etc., and you should see this is the case. This doesn't seem to be a Developer issue. Maybe you let someone use your computer before you and they used eBay? Family member with a secret buying account? Or are you on a shared/public computer where some previous person forgot to log out?
· Share
10 |600 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

negus11 avatar image
0 Likes"
negus11 answered ·
No, there's definitely something fishy here. Looks like the repro isn't exactly what I thought. I think it may have to do with logging into sandbox.ebay.com as my test user and then clicking Forums Sign in here. I am automatically logged into the forums as this negus11 user. I was able to do it after wiping my browser cache and shutting down my browser. I'll see if I can post exact steps.
· Share
10 |600 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

negus11 avatar image
1 Like"
negus11 answered ·
@helios825 Okay exact repro: 1. I sign into sandbox.ebay.com with my test user account 2. In a separate browser tab, I open forums.developer.ebay.com 3. I click Forums Sign in 4. I am automatically logged into the forums as this account (which is not mine)
· Share
10 |600 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

andyjam72 avatar image
0 Likes"
andyjam72 answered ·
@helios825 Wow I just hijacked THIS account now by creating a new test user in sandbox and doing the same thing. I am the same person as originally posted.
· Share
10 |600 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

melodyshops avatar image
0 Likes"
melodyshops answered ·
@helios825 Here's another. Seems I can just keep creating sandbox users and getting random ids here. If you know who to alert about this, any advice would be much appreciated.
· Share
10 |600 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

helios825 avatar image
0 Likes"
helios825 answered ·
So you're saying you created new Sandbox users, using the Trading API, right? And the user you created is NOT the various users that you have been accidentally logging into this forum and posting as? These other users that you are posting as -- when you go into My eBay on the main eBay website, and you look at account setup details (name, address, email address, etc.), do they look like real user info?
· Share
10 |600 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

melodyshops avatar image
0 Likes"
melodyshops answered ·
I created the new sandbox users in the developer web UI: https://developer.ebay.com/DevZone/SandboxUser/ This melodyshops account is NOT the user I created in sandbox. My guess is that the forum login is pulling an id from a cookie that was set in sandbox.ebay.com and matches it this user in prod. When I go to ebay.com, I am thankfully not this person.
· Share
10 |600 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

melodyshops avatar image
0 Likes"
melodyshops answered ·
If it helps, melodyshops maps to testuser_hijack_forums2 in sandbox.
· Share
10 |600 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

melodyshops avatar image
0 Likes"
melodyshops answered ·
When I go to My eBay, I get an error page. I'm not sure who I am actually signed in as to be honest... http://pages.ebay.com/messages/page_not_responding.html?eBayErrorEventName=p4n%7Cceb%7Cehq%60%3C%3D%60mb6a54d.1354-2016.08.28.09.58.46.252.MST
· Share
10 |600 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

melodyshops avatar image
0 Likes"
melodyshops answered ·
Okay, actually I can see some of this person's ebay info, like their watch list. It's really confusing because in the top left account dropdown, it says the sandbox user's account, but in other places, it says the first name of this account's owner. Most of the My ebay pages have errors.
· Share
10 |600 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.