New login page -- handle with care; there's a security issue

[1992casey]

Some of you have likely seen that Yuku now allows you to log in
using your credentials from any of twelve different services, including:

• Facebook
• MySpace
• Yahoo
• Twitter
• Google
• AOL
• Windows
  Live
• Blogger
• Linkedin
• Flickr
• WordPress
• OpenID

There
are two ways to reach this page:

• Hitting the Log In button
  in the navigation bar without putting any information in the username
  and password fields.
• Hitting a Reply
  button while logged out.

The concept is cool, but the
implementation is not. As long as the outside account uses the same
e-mail address as your Yuku account, you're able to use that login to
gain access to Yuku. This might be handy for those who have trouble
keeping track of multiple passwords.

Here's the security rub. When you log out, a cookie is
saved that stores your password. When you want to log in again, you just
hit a button, and you're logged in without entering a password.
Obviously, that defeats the purpose of logging out. Therefore, if you use an alternate login on a computer that's
used by others, delete your cookies after logging out.

Here
are a couple of screen captures. The one directly below shows the login
screen. On the right, you'll see graphical buttons that will generate
popups to log you in via the twelve other services. Six buttons display
when the page is loaded. By hitting an arrow on the right, you can
access the other six.

http://images.yuku.com/image/png/ea3359039d05cb2754ad12d21a1eddba713973b.png

If
you log out and subsequently want to log in again, the "welcome back"
interface below replaces the buttons. This image uses Google as an
example.

http://images.yuku.com/image/png/a93355d65737410a503240fa01d8fe3207bbdea.png
When
one hits the Sign In button, s/he is logged in without a request for a
password.

Unfortunately, Yuku staff thinks this is fine. I was
told:

You logged out and logged right back in without closing
your browser. I think in a public place, one would close the browser
when an online session has finished. Try this again, without even
clearing your cookies. Just close your browser and it will ask for your
password again. There is no need to clear cookies after each login...

This information is wrong. Closing
one's browser window doesn't clear cookies. Quitting (exiting) the
browser application only clears cookies when set to do so. No browser
clears cookies upon exit by default.

My advice? If you're the
only one using your computer or if you're good at remembering to toss
your cookies when you're through browsing, go ahead and use this
feature. If not, stick to the regular Yuku login.

[sbrylski]

Wow, Yuku is incredible. Keep the stories coming, Casey, they are a "entertaining" read... and thanks for dealing with those clowns, that must be a tough job.

[1992casey]

I'm sure there'll be another "entertaining" story soon. In the interest

of full disclosure, here's what RPX's web site says about this login,

which uses their technology.

Quoth RPX:

---

Import User Profile Data and Contacts

 

RPX imports a rich set of user registration and profile data to your site from several sources, including OpenID Simple Registration, Attribute Exchange, the hCard microformat, Portable Contacts, Facebook Platform, Twitter, and Windows Live ID. RPX makes it easy to consume this data by normalizing it into a format that is easy to extract and use. In addition, RPX is able to import a user's address book and contacts from supported providers.

Except for testing, I think I'll stick to the regular Yuku login. To test, I've been using newly created accounts specifically set up for that

purpose.

[1992casey]

I had one thing wrong. If you actually quit (exit) your browser and try to log back in, your username will appear, but you'll be prompted for a password. That doesn't erase the fact that that entering a password should always be necessary when logging in unless one specifically stores passwords at the browser or OS level.

 

Unfortunately, staff views not having to enter a password upon logging in as a convenience.

[1992casey]

I've removed the link to this topic from the board directory and forum pages, but that doesn't mean that the concerns are any different.

 

Bottom line?

• A user can still log out and get back in without providing any credentials at all (no username, no OpenID url, no password).
• If one creates an account using credentials from one of these services, his/her username may be based on information provided by that other service, e.g. the user's real name or e-mail address.

Because existing members already have accounts, they're unlikely to be

affected. I'm concerned about new members, but I kind of doubt that

they'd figure out the meaning of this topic anyway.

 

When new members apply for membership with usernames that look like something they might not prefer, board admins will need to communicate with them via PM to ensure that they're using the handle they want.