Monday, February 14, 2011

A possible security bug in plenty of fish

I think I may have found a security related bug in plenty of fish...

It looks like your session can remain active even if you have attempted to clear out your cookies and cache (provided you have multiple windows open).

Here is the scenario:

I was logged into plenty of fish, and had multiple (plenty of fish) windows open; I was looking at different profiles and am in a habit of opening new windows when browsing.

After surfing for a while I decided to clear out my cache; I was using the latest stable build of firefox and went to tools clear recent history (everything) and hit ok.

After clearing everything (which includes cookies and active sessions), I got the impression that this would mean my session would be killed and that if I attempted to click on a new profile or send a message I would be asked to re-authenticate. This is not the case.

After my session being "killed", I was still able to view new profiles and even email members I was interested in and was able to authenticate that these messages had successfully gone through.

What if you were on a public computer and thought that by clearing your cache and cookies, your session would be killed and that no one else would be able to use your profile?

Something to think about...