Forum issue? Getting logged into other peoples accounts at random

[Chris B]

Is this an issue that's happened elsewhere before, @Moo? 

[Moo]

2 minutes ago, Chris B said:

Is this an issue that's happened elsewhere before, @Moo? 

Do you mean on ukff.com or more generally? Caching issues are quite common, but I don't think we've ever had this issue on ukff.com before, ever. 

[Chris B]

Just now, Moo said:

Do you mean on ukff.com or more generally? Caching issues are quite common, but I don't think we've ever had this issue on ukff.com before, ever. 

I mean more generally. Just curious how you figured out what happened and how it got solved - I'm guessing, if similar effects have happened on other forums, that made it easier to solve.

[Keith Houchen]

3 hours ago, Keith Houchen said:

And see which members they were bitching about behind their backs. Verrry interesting…

Ok. I posted this as I thought it was funny to shit people up as I am assuming people have said how other members are arseholes via PM. True to form, nobody else did. 
 

I’m sorry for any anxiety caused by this. It was obviously bollocks as Moo and others have explained how PMs couldn’t be read. 

[quote the raven]

I was aware of this morning and thought it was a hack, when changing my password failed I logged off and got hold of the people I had on Facebook to do the same.

emailed moo. 
 

That said I was @RalphyV2 long enough to want to eat biscuits.

 

Edited November 25, 2022 by quote the raven

[Loki]

Not that I don't believe you @Moobut I absolutely was able to click the messages button at the top and saw a list of someone's PMs, headings and first line of content.

Are we assuming therefore that that account had happened to open their own inbox and then I did the same and saw their cache?

[Max Power]

I'm generally thick regarding any tech, so it's refreshing to know that I haven't made a bollocks of my account.

Although my general posting does suggest otherwise, granted.

[Moo]

5 minutes ago, Loki said:

Not that I don't believe you @Moobut I absolutely was able to click the messages button at the top and saw a list of someone's PMs, headings and first line of content.

Are we assuming therefore that that account had happened to open their own inbox and then I did the same and saw their cache?

Yep - that's exactly what would have happened - the person's PMs you saw would be someone who had visited the forum during the time period and had opened their messages during that time.

[Moo]

10 minutes ago, Keith Houchen said:

Ok. I posted this as I thought it was funny to shit people up as I am assuming people have said how other members are arseholes via PM. True to form, nobody else did. 
 

I’m sorry for any anxiety caused by this. It was obviously bollocks as Moo and others have explained how PMs couldn’t be read. 

To be clear - that is not the case. Someone could have seen DMs from another account if that person had read their own DMs during the time period. Because of the way caching works, it's sort of a roll of the dice whether you saw your own DMs or someone else's who was also accessing the forum at around the same time in the same location.

[SuperBacon]

28 minutes ago, Moo said:

So a request to a website with a CDN cache (like we have) works like this:

Your browser > Content Delivery Network (CDN) Cache > ukff.com server

If the URL is in the cache, then the content is returned without talking to our server, like this:

Your browser > Content Delivery Network (CDN) Cache

A typical CDN has maybe 100+ different caches around the world. If we assume most UKFF visitors are from the UK (logical!?) then there's maybe 3-4 different cache locations people typically would be routed to. Under normal circumstances, logged-in content would not be cached at all - and traffic would skip the cache and be delivered *only* to you.

However, during the time period of ~1300 yesterday to ~0930 today the CDN was caching too aggressively. What that means is if you were the first person to hit http://ukff.com/some/url in lets say the London location yesterday when the issue started, the version of http://ukff.com/some/url that you saw would go into the cache. If I came along after that and requested the same http://ukff.com/some/url URL, I might see your version of the page. So individual logins weren't compromised or leaked, but you might have seen the HTML that was destined for me because my version got cached before you. It's an important distinction between that and a database leak which is where someone gets the entire database of all users and content, forever. That is not what happened. The tricky part is it's really hard to be certain exactly what pages were cached and from which accounts... but suffice to say if you did not visit ukff.com while logged in during the time period, your pages will absolutely not have been put into the cache at all and therefore nobody else could have seen them.

The fix was to remove the caching configuration and purge the cache completely, which is what happened at ~0930 today. At that point, all cached pages were removed.

Mate, if I didn't understand the first post, I'm not gonna understand that am I? 😂

[PunkStep]

If anyone were able to see my messages, all they'd see are conversations with @SuperBaconabout football kits and @Carbombpleading me to go and see SASH! with him.

[Guest]

If anyone saw mine, I can only apologise and suggest counselling.

[SuperBacon]

7 minutes ago, PunkStep said:

If anyone were able to see my messages, all they'd see are conversations with @SuperBaconabout football kits and @Carbombpleading me to go and see SASH! with him.

Combine the two with a lovely Peru shirt

[PunkStep]

Ecuador, surely?

[Carbomb]

26 minutes ago, PunkStep said:

If anyone were able to see my messages, all they'd see are conversations with @SuperBaconabout football kits and @Carbombpleading me to go and see SASH! with him.

Actually pleading with you to go and see him one more time