yii-user-management

yii-user-management copied to clipboard

It seems that you can get logged in to the same user account in Yii with different HybridAuth logins, if the real names match.

So if John Doe creates a Yii account with, say, Facebook, and another John Doe logs in from a different Google/Facebook/etc. account, he will then access the first guy's data.

I have tested with two google Google accounts and one Facebook account. I use the same real name ("Firstname Lastname") on all three accounts, and when using Yum and HybridAuth to register, "Firstname Lastname" registers as the username. Regardless of whether I register using one of the Google accounts or the Facebook account, the resulting user account can then be used from all three accounts.

Suggested solution: use the e-mail address as the user name instead of creating it from the real name.

Thank you for reporting this severe security issue. I will investigate and fix this as soon as possible !

Thanks for the quick reply! Maybe I could help out as well. I've created a fork. I also have another question/suggestion. Can I PM on you on IRC?

I was very busy at work today - i will look into this issue this evening. Of course you can contact me at irc or skype "herbertmaschke" ;)

Please check if this potential fix fixes the issue, thank you !

https://github.com/thyseus/yii-user-management/commit/a4a6970f9d561db37a5aed49ccf58f3ebcf7b6df

Thanks Herbert, I'll check it out!

On Tue, Feb 4, 2014 at 7:29 PM, Herbert Maschke [email protected]:

Please check if this potential fix fixes the issue, thank you !

a4a6970https://github.com/thyseus/yii-user-management/commit/a4a6970f9d561db37a5aed49ccf58f3ebcf7b6df

Reply to this email directly or view it on GitHubhttps://github.com/thyseus/yii-user-management/issues/173#issuecomment-34090870 .