Log in | Register
  1. Forum
  3. Discontinued Products
  5. JFBConnect v8.x Support (Joomla 3 Only) (CLOSED)
  7. a major profile linking bug

Topic-icon a major profile linking bug

Active Subscriptions:

None
9 years 1 month ago #52258 by iozger
hello,
Sorry for calling it bug, I just think it is a bug. You will decide if it is a bug for sure :)

platform:
jomsocial v4.0.2
jfbconnect v6.3

browser: mozilla (i didn`t try it for other browsers)

information:
userA: registered user via regular register (not via facebook)
userB: registered user via facebook
userC: any other registered user (registration method doesn`t matter)

userA. userB and userC have different e-mail addresses.

scenario:
1. browse userC`s profile directly in jomsocial without logging in
2. try to send message to userC. since you are not logged in, jomsocial v4.0.2 will pop up an ajax login box with jfbconnect button on it. don`t log in just keep it there.
3. open a new tab from the same browser. and go to site`s homepage.
4. login the site via userA`s credentials. now you are logged in to the site as userA.
5. open the previous browser tab, ajax login pop up is still there.
6. click login with facebook and enter userB`s facebook login credentials.
7. you will receive a message that profile is linked.

Result: Yes userA and userB profiles are linked in this case. users` emails don`t change. but userA`s avatar, user status and birthday is imported from userB. and may be more fields.
The topic has been locked.
Support Specialist
9 years 1 month ago #52275 by alzander
What you describe is the correct behavior, although I can see how it can be incorrect. When UserB 'sits' on the page and doesn't log in, while you log in with a different user in a different tab, Joomla now sees a session open for that browser. Since the browser is the same browser being used and the cookies are all transmitted the exact same, when you click the Facebook login button with userB, Joomla processes the request as though userA is logged in (since they are) and JFBConnect assumes that userA is trying to re-map their account to a new (userB) Facebook account.

There's no way for us to detect this scenario in JFBConnect because Joomla itself is performing the login 'behind our back' (for userA) and handing use a social login (userB) later on.

Of course, this is also very, very abnormal behavior as it's not the normal way users navigate your site either. We've heard of this issue rarely in the past and its only ever cropped up in cases where users are testing their site in multiple ways.

I hope that helps explain some more. If you know of a way that this could be actively exploited as a security risk on a wide scale, of course, let us know.

Thanks,
Alex
The topic has been locked.
Active Subscriptions:

None
9 years 1 month ago #52284 by iozger
Replied by iozger on topic a major profile linking bug
Thank you Alex,
I have met this condition by chance. i guess this exact scenario would be very rare condition. I just wanted to warn there might be other cases with the same idea. But I got your explanation.

By the way now my super user accidentally linked to my test user. although I delete the test user and try to re-register the site, it is again linked to super user. I can`t separate them anymore. How can I separate them :D
The topic has been locked.
Support Specialist
9 years 1 month ago #52288 by mel
Replied by mel on topic a major profile linking bug
The linking is in the JFBConnect User Map table. Go into JFBConnect > User Map in the backend and find your Super User. Delete the entry that points to your Test User's Facebook profile. That should do it, but let us know if you still have problems.

-Melissa
The topic has been locked.
  1. Forum
  3. Discontinued Products
  5. JFBConnect v8.x Support (Joomla 3 Only) (CLOSED)
  7. a major profile linking bug
From the Blog
Facebook | Twitter | LinkedIn | Blog RSS