Fuji Security breach disclosure: Members logged in as other members

[Amin]

Earlier today, I was trying to set up fastcgi caching for guest visitors to see pages more quickly.

See: XenForo Forum with Nginx fastcgi_cache full page guest caching

Somehow that resulted in some members here at FujiXspot and also at another site (TalkEmount) to be briefly logged in as other members. There was at least one case of a member posting accidentally under someone else's account.

It is possible that some members could have read someone else's PMs and/or viewed their email addresses and birthdates. They would not have been able to access passwords.

The situation was fixed within about an hour after it was reported.

 

[Mike G]

Amin, indeed it took a couple of minutes to realise I wasn't who I thought I was.

 

[spinyman]

Someone is still posting under my name.

 

[Amin]

Someone is still posting under my name.

At first I thought this was unrelated to the changes I made, but now I'm not so sure. I have reverted all changes now. Please change your password just in case!

 

[Amin]

@spinyman - After further investigation, I think that @Haswell must have accidentally posted under your account. The reason I say this is that Haswell is the only one who previously used the IP address that was used to post about going vegetarian under your account.

I think what happened is that Haswell must have gotten logged in as you when I made the changes mentioned in the OP of this thread and then must have stayed logged in since that time. I've now forced everyone to re-login, which I think will prevent this sort of thing from happening again. Very sorry this happened to you.

 

[Haswell]

Blimey, sorry to have caused so much bother!

 

[Amin]

It's my fault. Should be all fixed now!