Curious about the DDD security hole
 

Just testing a theory, please choose which one is applicable.

I chose: don't use "remember me" but logged into someone else's account.


I also hadn't ever logged onto ddd from this computer.

Well there goes that theory ;) Did you use a link provided by someone else or did you just type in the address manually and ended up in someone else's account? Also did you get to the info before or after you logged in?

I typed in the address manually. When I went to login I also unchecked the "remember me" box. At first it logged me into my account, but when I went to log off, it put me into another persons account.

When I opened DDD this morning and went to the site it already had me logged in on somebody elses account. So, perhaps it is still trying to remember me.

This is under IE. I havn't tried using Firefox (my main browser) on it.

I wonder if the "remember me" accounts are the accounts that have been exposed to others. In other words, they're sort of never really logged off, so they show up randomly.

Edit:
I should clarify: I chose "remember me", and I have seen other's accounts, but my account has also been exposed (I recieved an email from a DDD customer an hour ago letting me know)

I use remember me and have seen other accounts, mainly people in PA. People have also seen my account, although I am not in PA. I use Firefox.

Other - I don't use "remember me" but I haven't logged onto DDD since I found out about this security problem.

I never use the "remember me" option at DDD. I only log into my account to check a open order or to place a new order. I always log out when I'm done. So far I haven't been able to view any other accounts except my own, and haven't been notified by anyone that my account was open to viewing. I should also mention that I tried IE, Avant, and Mozilla browsers with the same results.

Here is an update from my earlier post. You can add Firefox and Opera to the browser mix, and still can only access my own account. I even went to my sister's house today and tried her computer, but could only view my account.

I use the "remember me" function, but i havent seen anyone else's info. I was able to log in and out yesterday with no problems, and changed to "Bill Me Later".

I'm hoping nobody dishonest was able to see my account info, since it seems alot of PA accounts are exposed.

Tired to log in and got someone else's account, then tried to log off and got "Hello DDD Sux" greeting!

I too use the "remember me" function, and have been able to log in/out of my account every time I've tried, with no problems whatsoever.

No seeing other people's accounts, no trouble logging out, etc.

I think I never used the remember me function and I'll never check it from now on to be sure.

I never use the remember me function and have had no problem logging in or out, nor have I been able to access anyone else's account. The issue may be that those people who are currently using the remember me option may be the accounts that are vulnerable.

Usually this sort of option only affects the client (user's) computer, as it sets a cookie on that computer to save the user's login information so he/she doesn't have to re-enter it from his/her computer when accessing the server (website). Ideally, it won't or can't affect any other computer's access to data on the server system.

But I don't know how DDD has set up this option to work with their website, so I can only speculate what (or if) that's the problem.

From the look of the votes, while albeit from a small percentage of people on the site, it would seem as though well over half of the voters have had no problem.

Which is odd, because you would think that a site that has been theorized to have been hacked would have been affected completely, not just for less than half of the users.

Perhaps this is something less than a hacking, and more along the lines of the explanation being offered by DeepDiscountDVD representatives...

I agree. I would hope DDD wouldn't compound the issue by now openly *misleading* on the cause. I believe them. Just bad judgement.