⚠P0 - Session Misrouting / Identity Mix-Up / User Data Crossover Issue
Closed this issue · 3 comments
⚠IDENTITY MIX-UP / SESSION MISROUTING / USER DATA CROSSOVER ISSUE
Priority: likely P0 issue
Affecting: Actively affecting browser sessions (using manual user/password login option) at app.simplenote.com
Upon login, user sessions for electron web app are currently fetching the incorrect user's data for some users. First noticed Aug 16 2024, and saw another user also posted an alert earlier today on the simplenote help forums.
Expected
User is shown their own user data upon login
Observed
❗ User is shown the wrong user's data (including wrong email address) upon login, with full access to all of that user's private notes. Immediately logged out of web app, used mobile app to export all personal data (Android session data still seemed intact), then used mobile app to delete account.
Reproduced
- Go to: https://www.app.simplenote.com
- Login via manual email/password login
- Incorrect user data is shown (sometimes even displaying the incorrect user's email address in popup modal dialog that requests the user to either 'confirm' or 'change' their email address - clicking 'change' takes user to a settings page which my actually show the correct user email address - pressing button to return to notes again surfaces the incorrect user's notes.)
📸 screenshots omitted to preserve user's privacy - redacted photo proof available upon request
Where did you see the bug
- System Model: Razer Blade Pro 2021
- OS: Windows 10
- Browser: 🦁 Brave (Brave Desktop Browser for Windows)
- Browser version: Brave v1.68.141 (based on Chromium v.127.0.6533.120)
- Simplenote app version: Latest (Unknown)
I am experiencing this bug now. I login and get notes written in cyrillic by some Dmitry. I don't even want to think about what would happen if anyone gets my notes. Whose responsibility is this?! Fix this ASAP
Related support forum thread:
🔗 https://forums.simplenote.com/forums/topic/simplenote-security-breach-tonight/
Thanks for the reports, y'all, and sorry for the mix-up. This has been addressed.