New comments are autofilled with login details of previous commenter

Question

New comments are autofilled with login details of previous commenter

EMplIFil opened this issue 3 years ago · 5 comments

Came across a weird issue recently.

First, I had a spammer make a few spam posts. Let's suppose the name was "Brad".

Second, a new post was made by a different user making a legitimate comment, but the name was still suspiciously, "Brad".

I looked into it, and it turns out that User 1 (the spammer) had a different IP address than User 2 (the legitimate user). I then wondered why they would have used the same name, which was quite unique. Both IP addresses were associated with different countries. Not a guarantee they were different users, but read on...

User 2 (legitimate user) entered their email, and I assume that was associated with a password as they opted to be notified of responses.

On the other hand, User 1 (spammer) did not enter an email.

Third, upon further investigation, I tried to open a random page on my site using an incognito window. To my astonishment, I saw all 3 fields autofilled:

Name ("Brad")
Password (dots)
Email (the email of User 2)

So, it seems like the reason why User 2 had the same name as User 1 was because it was simply autofilled and they didn't bother to enter any information there.

And now, when new commenters visit the site, they're seeing all of this info from previous users.

*Edit: In addition, using this autofilled information, I can make comments which are posted under User 2's email and User 1's name, when in fact I am neither of those users.

I get that you could easily enter anyone's name into the name field, but email too? Especially when it is associated with a password? And why would someone else's info be autofilled in my browser?

How did this happen? Why did this happen?

*Edit 2: Oddly, it only happens in Chrome (even under different Google accounts), but not in Safari or Firefox.

Answer 1 · 2021-09-18T01:26:35.000Z

This should never happen, and I have no idea why it would. The only thing I can think of would be that you are using the Session login method and your server session management is somehow misconfigured. Are you using the Session login method?

Answer 2 · 2021-09-21T02:56:39.000Z

Thanks for the quick response.

Currently it's set to "Cookies Login".

Answer 3 · 2021-09-21T04:30:19.000Z

Considering the fact that you're using the Cookies login method, and it only happens in Chrome perhaps you have an extension or certain browser configurations that make cookies available in Incognito mode. Either way, you should test if this problem exists in Chrome on a different computer.

Answer 4 · 2021-09-21T20:58:02.000Z

So, I tried this on a different computer with Chrome. At first, the login details weren't filled in.

Then I suspected it could be due to my LastPass extension. So I installed that, and the other users' login details were filled in again.

Looks like it's an issue with LastPass and not Hashover, or perhaps some combination of the two? Still, that is very bizarre.

The LastPass extension shows a list of accounts when you click it, but interestingly, the details for the other user do not appear there.

They only appear in the name / password / email boxes of the Hashover UI. I'm stumped.

Answer 5 · 2021-12-02T06:01:04.000Z

This could be a caching issue too. An intermediary cache/proxy/CDN/etc. could be caching a personalized/logged in page.