SERIOUS SECURITY FLAW!! Event Booking Addon

huwhuw

Joomla 4.4.5
Acymailing 9.6.0
EB 4.9.3
Hi,
My client sent a newsletter out to several thousand users.
The Event Booking addon was used to integrate with events.
When a user clicked on an event from the newsletter they were logged in with my clients account.
I asked the client to forward the newsletter to me and I can confirm that behaviour.
The link from the newsletter contains: ?autoSubId=XXXXXX&subKey=XXXXXXXXXXX
which seems to allow the user to be logged in as that person

https://www.lec.ie/component/eventbooking/2128-digital-creativity-in-the-primary-classroom.html?autoSubId=XXXXXX&subKey=XXXXXXXXXXX

If I block the users account in Joomla then click on the EB link from the newsletter, I get the message
Login denied! Your account has either been blocked or you have not activated it yet.

Please investigate this as a matter of urgency.

huwhuw

Please get back on this issue ASAP as my clients website is now offline as this constitutes a serious data breach.
Another report has come back that a School principal received my clients newsletter and he forwarded it on to his staff. The staff on clicking on an event were then logged in as the School Principal and could see his personal profile details inc personal telephone number.
I can PM access to the website if you need to take a look.

jvstratum

Hi,

This happens because you client has enabled autologin in the newsletter. It's much safer to not use this option and have the users manually login in by themselves. As you have noted the autologin link does not get removed once you forward an email that contains such a link. Since the forwarding is done from a local email client there's nothing we can do to prevent the autologin link from being forwarded.

First thing you can do is to add a RewriteRule to your htaccess that will strip the autoSubId from the requested url. That way you make the autologin impossible and you can put the site live again.

RewriteEngine On

# Remove 'autoSubId' parameter from URL's
RewriteCond %{QUERY_STRING} (^|&)autoSubId=[^&]*(&|$)
RewriteRule ^(.*)$ /$1? [R=302,L]

Once you have done this you can put your site back live again and the autologin doesn't work anymore. This gives you time to contact our support and ask them if htere is a way to reset these keys in Acymailing so the autologin link in the sent emails don't work anymore.

When you contact support, please make sure to inform them you have added the above RewriteRule to your htaccess, so they know the behaviour they can expect.

You can raise a support ticket here: https://www.acymailing.com/support

huwhuw

"This happens because you client has enabled autologin in the newsletter. It's much safer to not use this option and have the users manually login in by themselves"
Where is this setting please?

jvstratum

It' a setting in the add-on.

Please do as suggested because you have enails send with these login credentials.

huwhuw

Thanks for the htaccess script. I never want this behaviour on the website as it has led to a data breach.
The autologin setting doesn't work in a secure way and has allowed users who have been forwarded a newsletter access to someone else's account.
Will the htaccess solution above permanently prevent autologin even if the setting is set to Yes?

jvstratum

Yes, because it removes a relevant parameter for the autologin. Make sure you test the code thoroughly.