Fog Creek Software
g
Discussion Board

Hyper-ultra-mega-security-bug?

I am serious, this was not an hallucination.

An user reported a very strange behavior from fogbugz. He has changed his password and the operation was ok. Then he has SUCCESSFULLY logged on to FB using BOTH (the new and the old) passwords!!!

I saw with my own eyes. We have tried it in other machines and it did happens again.

Finally he went to 'Prefs' and changed the password again. After that, the bug cannot be reproduced again.

Does Someone have experienced something like this before? Or tried entering the last password?

Maybe this is a bug from SQL, I really don't know... because I KNOW FB archieves only the current password.

Regards,

Alexandre B. Corrêa
Thursday, March 27, 2003

What happens if he changes the password back to the second password (not the original and not what is now)?  Can he log in with the original and the second password?

Michael H. Pryor
Thursday, March 27, 2003

Unfortunally he has changed this password to a 'third' password... he said we will try to reproduce the problem again (because since he has changed the password the problem is solved).

Alexandre B. Corrêa
Thursday, March 27, 2003

Would it be possible for him to email us the first and second password to see if I can run some tests here?

Michael H. Pryor
Thursday, March 27, 2003

WE REPRODUCED THE PROBLEM AGAIN.

Hold on a few minutes... we are taking a deeper look into it.

:)

Alexandre B. Corrêa
Thursday, March 27, 2003

We discover the problem: sPassword stored for both passwords is the same, but the passwords are different.

Alexandre B. Corrêa
Thursday, March 27, 2003

It seems your routine to cript the password is generating the same string for 'almost-the-same' passwords.

Alexandre B. Corrêa
Thursday, March 27, 2003

The funny thing was that this bug was discoverd from OUR testing team. :)

Alexandre B. Corrêa
Thursday, March 27, 2003

Yes, you're right... In certain cases two different passwords will hash out to the same string... I'll take a look at beefing this up.

Michael H. Pryor
Thursday, March 27, 2003

Folks,

  We need a patch as soon as possible.

  When do you think this will be released?

Thanks!

Alexandre B. Corrêa
Thursday, March 27, 2003

It is still in the testing phase for the next release.  If you are interested in helping us test, please let us know.

Michael H. Pryor
Friday, April 11, 2003

It's out. 3.1.5.

Michael H. Pryor
Tuesday, April 22, 2003

*  Recent Topics

*  Fog Creek Home