technote

Invalid automatic login

Recommended Posts

A portion of a website I access is controlled by a username & PW. Recently I found myself automatically logged in under a username that was not mine. I am concerned this is a security risk, however am uncertain what steps to take to resolve. Rebooting did not resolve the problem.

Share this post


Link to post
Share on other sites

Difficult to answer not knowing what type of website it is. Made by you with Dreamweaver, a Joomla 1.5, 2.5 or 3.0, Wordpress etc.?

I know that Joomla 1.5 websites, because they have stopped supporting them, have been vunerable to being hacked. Check with FTP to see if there is a "Hacked.php" file in the root. That is the hacker saying how clever he is! Don't bother to delete it rather change it to ....old and upload another harmless and uselss file called hacked.php. That does not really help but says to the hacker, "Hi!" :-)

A bit more information and perhaps someone will help more. I'm no expert but my J 1.5 website was hacked and they added several users.

Share this post


Link to post
Share on other sites

It certainly could be a hacked website but in my experience, when people have this problem it's always been caused by someone else using the same computer to log into a website and clicking the option to “remember me” or “automatically log me in”.

This stores a cookie in the browser which means each time the website is visited from that computer using the same browser their account will be automatically logged in.

It’s a security risk for the other person because anyone else using the computer has access to their account. The risk to you is that you may inadvertently enter some of your personal data onto their account which they could then view next time they access it.

Rebooting the computer wont stop this.

There should be an option to log the person off from the website, this will stop them being logged in next time you or they visit the website.

This will not stop them from clicking "remember me" in future so you can also set the browser to delete all cookies on exit. This means that if they do the same thing again it won’t matter because the information will be automatically deleted when the browser is closed.

If you are aware of someone else using your computer it would be a good idea to set up a separate user account for them. If you are unaware then I would change my password to something stronger.

If it’s a shared computer such as at work then log the other person off and make them aware of what they are doing if you can find out who it is.

Share this post


Link to post
Share on other sites

It's not impossible for the website to actually have a BUG where you are given the same security token or cookie of a previous user. I've actually seen this happen on a few websites and it obviously caused a lot of privacy issues.

What I would do (in this order) is.

  1. Scan your PC with a quality Anti-Virus/Malware Tools
  2. Clear all your cookies and delete all history
  3. Email the website letting them know what happened. If it's a bug, they probably are getting emails from other users also so the more data they can get the better
  4. Keep reading groovyPost.com for more tips and tricks on security and privacy! ;)

Here's a good link to blow away browser cache and cookies etc....

http://www.groovypost.com/news/ccleaner-updated-support-windows-8-opera/

Really can't beat CCLeaner... it's free also.

Share this post


Link to post
Share on other sites

It's not impossible for the website to actually have a BUG where you are given the same security token or cookie of a previous user. I've actually seen this happen on a few websites and it obviously caused a lot of privacy issues.

What I would do (in this order) is.

  1. Scan your PC with a quality Anti-Virus/Malware Tools
  2. Clear all your cookies and delete all history
  3. Email the website letting them know what happened. If it's a bug, they probably are getting emails from other users also so the more data they can get the better
  4. Keep reading groovyPost.com for more tips and tricks on security and privacy! ;)

Here's a good link to blow away browser cache and cookies etc....

http://www.groovypost.com/news/ccleaner-updated-support-windows-8-opera/

Really can't beat CCLeaner... it's free also.

 

thanks Steve. I ran a quick-scan; I think that cleared the cookies. my virus software does regular scans. I e-mailed the website & the response was that it was a cache problem they were aware of.

Share this post


Link to post
Share on other sites

Difficult to answer not knowing what type of website it is. Made by you with Dreamweaver, a Joomla 1.5, 2.5 or 3.0, Wordpress etc.?

I know that Joomla 1.5 websites, because they have stopped supporting them, have been vunerable to being hacked. Check with FTP to see if there is a "Hacked.php" file in the root. That is the hacker saying how clever he is! Don't bother to delete it rather change it to ....old and upload another harmless and uselss file called hacked.php. That does not really help but says to the hacker, "Hi!" :-)

A bit more information and perhaps someone will help more. I'm no expert but my J 1.5 website was hacked and they added several users.

 

outside website, not one I created.

Share this post


Link to post
Share on other sites

It certainly could be a hacked website but in my experience, when people have this problem it's always been caused by someone else using the same computer to log into a website and clicking the option to “remember me” or “automatically log me in”.

This stores a cookie in the browser which means each time the website is visited from that computer using the same browser their account will be automatically logged in.

It’s a security risk for the other person because anyone else using the computer has access to their account. The risk to you is that you may inadvertently enter some of your personal data onto their account which they could then view next time they access it.

 

Rebooting the computer wont stop this.

 

There should be an option to log the person off from the website, this will stop them being logged in next time you or they visit the website.

This will not stop them from clicking "remember me" in future so you can also set the browser to delete all cookies on exit. This means that if they do the same thing again it won’t matter because the information will be automatically deleted when the browser is closed.

If you are aware of someone else using your computer it would be a good idea to set up a separate user account for them. If you are unaware then I would change my password to something stronger.

If it’s a shared computer such as at work then log the other person off and make them aware of what they are doing if you can find out who it is.

 

personal computer not used by any other individuals. The user ID/pw is paid access to additional information on the website; i.e., listening to or watching audio or video files.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Similar Content

    • By Wilderness
      Office Excel 2011 - Protect worksheet or workbook - I have protected the worksheet by a password but find I still can copy and past into a new worksheet and then I can change things arround. How can I stop someone being able to change or delete things.
    • By Steve
      Question from Readers:

      Hi groovyPost, How do I copy files and encrypt/password protect a CD? I'm running Windows 7 X64.
      Cheers,
      Chris
    • By Michelle Edighoffer
      Hello, I'm desperately looking for an answer so I'm hoping you can help me! I want to view the websites visited via my home wireless connection. I have a Motorola SBG900 router. I logged into the webpage but I cannot find a log telling me which websites were visited and at what time. Is there a log on this router? Please tell me there is. Thank you for your time.
    • By Rufio
      When I try to login to my router at 192.168.1.1 it accepts my username and password but just displays the message " (192.168.1.2) is managing this device " with a blank white screen, nothing else is visible. Is there anyway to fix this? I can't access my router control panel because of this.
    • By peepmonk37
      I'm so sorry because I know from my last 3 month's experience, and the hundreds of hours I've spent trying to understand how to... well, understand what to look for and what it means, etc., but every time I Google anything, suspicious files, remote and root access to my computer that I did not grant, modem logs, etc, I simply can't understand the BASICS of what people are talking about in order to answer the question I Google... let me begin by saying, 3 months ago I found a "Privitize VPN" on my computer and many files on my phone (both installed on the same day), that ultimately led to the fatal crash of the computer (the C and D drives switched; so that C became my restore and D was my Main... I hope I explained that correctly) my brother in law, the only person I trust on this with an IT background, says he's never seen anything like it... When I located the bugging software on the file (I created a word document with everything I found) and reported it to the Police, it was stolen later that night... it took me months to come to this conclusion, but I've ultimately come to believe that the source of the bugs is in fact, law enforcement... I think on a Federal Level, but I can't be sure of that at this time. I do know how I got mixed up in the investigation… I had a roommate that I didn’t do a proper background check on, and it turns out he’s a career criminal (steals power, steals vehicles and manufactures new VIN plates for them, makes grade A false IDs and deals mass drugs to boot) he has multiple arrests and multiple currently active warrants, and was using my computer and phone to do this shady business, unknown (at the time) to me… took me a while to put all this together, but I promise you it’s valid. He split pretty soon after all this started, but the invasion of my privacy consumed me… I began documenting everything, finding out my friends and family had been bugged, and crazy shit like AT & T even being on it… they sent me 2 “high security modems” in a row, since the one I had and the first one they sent, they told me, had been hacked… they came with “Net gear” official documents and stickers, model numbers, etc., yet Net gear insists they didn’t manufacture them, as the Serial Numbers on them do not match any format Net gear has ever used… so you can see how I trust no one to ask these questions of, and the forums I’ve stumbled on confuse me even more… but this one made some sense to me… and I thought just maybe someone would take pity on my underknowledged butt.I’m working with an attorney for a “malicious prosecution” suit, because I’ve suffered a constant and totally consuming invasion of privacy.. My house and car getting bugged, evidence getting stolen from me on a regular basis if it’s not strapped or chained to me.. . Literally! And the loss of friends and family, as I’ve distanced myself from everyone because I don’t want them to go through this… the more I document, and the more vicious I get with my retaliation, the more severe the attacks, but I promise I’ll sooner blow my brains out, being sure to leave a thank you note to these a-holes for the life they’ve stolen from me, than be quite and hope it blows over.I promise to anyone reading this, that I’m not guilty of anything that warrants the vicious attacks I’ve endured over the last few months, but fair warning that if you offer to help me, you will most likely be investigated in some way as well.I’m sorry for asking, even though I am, and you don’t know me, but I’m at the end of my rope, I don’t see an end to this, I don’t know how to protect myself, and I am sure that I don’t want to live like this one single moment longer… literally. Please, if you can help me understand what to look for and how to protect myself, it can make a life or death difference at this point.I’ve kept ridiculous documentation of all this… amassing over 1600 audio files of conversations involving all this, etc… the hard copies that I painstakingly transcribed by hand after my computer crashed for the 5th time in 3 months… but those files were stolen from me, when only a few feet from me, just a few days ago. It was the last thing on Earth I had that meant anything to me anymore.Thank you
  • Who's Online   0 Members, 0 Anonymous, 13 Guests (See full list)

    There are no registered users currently online