Why is it that when I send a friend a link from a Quora digest e-mail she can log into my account and do nasty things?
-
Quora sends me weekly digests, I copied one of the links and IM'd it to a friend. Her response was "hey, I just logged in as you." Tried it out a couple of times, same thing. Seems limited to links in e-mails. It's a bit discouraging to know that someone is still putting credientials in URLs for the sake of login convenience. Along the same line, I noticed that typing her e-mail address into the home page login screen yields her headshot, without actually logging in!! I'm no security professional, but this all makes me wonder what's up with Quora security? Edit: Even more disturbing, she could see that I was still logged into quora AND get a vague idea of where I am. From the logout screen: You are now logged out of your account in this browser, but you are still logged in from 1 other browser. Login Time Browser From Feb 19, 2014 02:04 PM Safari Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) ... Some City, Some State XX.XX.XX.XX <----- Some IP address Edit 2: 1. I couldn't repeat this on my local machine by logging out and clicking the link. 2. We were both using Chrome. 3. She got the same view of the question with "relogin as Quigly" badge instead of the username/password box.
-
Answer:
When Quora sends you mails, the links to the website comes with an auto-login token which is a common technique used to automate the log in process. See the encircled part from the screen shot of a mail I received In this case Quora believes that you are the sole person operating your email account registered with Quora and allows you to login with out typing in your credentials. So do not share any link to the site you get in the email but rather find the original link in the site and share.
Rishin S Babu at Quora Visit the source
Other answers
I just grabbed a link from my weekly digest email and pasted it into another browser (Safari on Mavericks) where I wasn't logged into quora. The result was that was able to see the question, but still get a login prompt. Looks like the fields that get passed are: hash=... uid=... aoid=... aoty=... ty_data=... ty=... digest_id=... click_pos=... st=... source=... stories=... v=... aty=...
Blake Swopes
Related Q & A:
- How do I change the display name that people see as my name when I send a yahoo email?Best solution by Yahoo! Answers
- Why doesn't it work when I want to click a link in my Yahoo mess list?Best solution by Yahoo! Answers
- How do I do a "reply to all" when replying to an e-mail?Best solution by Quora
- How to send a file which is bigger in size through e-mail?Best solution by Yahoo! Answers
- How can i send a animated graphic picture to a cell phone?
Just Added Q & A:
- How many active mobile subscribers are there in China?Best solution by Quora
- How to find the right vacation?Best solution by bookit.com
- How To Make Your Own Primer?Best solution by thekrazycouponlady.com
- How do you get the domain & range?Best solution by ChaCha
- How do you open pop up blockers?Best solution by Yahoo! Answers
For every problem there is a solution! Proved by Solucija.
-
Got an issue and looking for advice?
-
Ask Solucija to search every corner of the Web for help.
-
Get workable solutions and helpful tips in a moment.
Just ask Solucija about an issue you face and immediately get a list of ready solutions, answers and tips from other Internet users. We always provide the most suitable and complete answer to your question at the top, along with a few good alternatives below.