Warning Re HAL's New Internet Service

I'm pretty sure that you're fine. We just replicated the problem here at the Institute for Cheer. We took two machines, a laptop and an Android phone and was able to make the CC server swap the sessions. It's independent of the HAL network. You can do it on a business LAN or home netwrk that has a single IP address backed by private IPs for the connected machines. It appears to be how CC is seeing the persistent login when devices have the same IP address. (The ship's network assigns a private address to each machine, but the public-facing IP addresses are shared.)

So are we safe if we positively log out of CC at the end of each session?

The most likely explanation is that they have a server that caches (stores a local copy of what it sees) the websites visited. When you go to a page that many people use it can speed things up if it's a static (not constantly changing) page. Providers use this method to reduce bandwidth used and access times but it often causes weird issues like this. It's bad if they're caching sites you log into.

 

Sent from my SCH-I545 using Tapatalk

It's actually more of a CC security flaw issue than HAL issue. Don't use any password on this site you use for any others.

Oh my.. That is scary.. I'm a "tech. dummy" when it comes to my PC.!

Would this also be the case when using our personal desktop P.C.'s? I use variations of one, two or three passwords with some letters & numbers, on so many sights..I actually handwrite to record them in a special book which I lock into a safe when on vacation..

When I log into those sights, such as Cruise Critic without having to use one of the passwords it says "Hello, Serendipity" or "Hello, (my name)" or "Hello (DH's Name)"..

I have hundreds of WEB sites stored in my favorites.. Now I'm really concerned & wonder if I should go to all of them including financial institutions & log off & change all my passwords?

Sapper is probably using an iPad.

I'm pretty sure that you're fine. We just replicated the problem here at the Institute for Cheer. We took two machines, a laptop and an Android phone and was able to make the CC server swap the sessions. It's independent of the HAL network. You can do it on a business LAN or home netwrk that has a single IP address backed by private IPs for the connected machines. It appears to be how CC is seeing the persistent login when devices have the same IP address. (The ship's network assigns a private address to each machine, but the public-facing IP addresses are shared.)

 

I wouldn't worry about it impacting your banking or mail or anything.

thank you very much :D

Thanks for investigating this.

 

So are we safe if we positively log out of CC at the end of each session?

It's really only a problem if you are on the same network as another user, and even then certain things have to happen. DW and I are on the same LAN/WLAN, each using CC on a computer and a phone. It's never happened to us by accident, but as soon as I saw Sapper1's post, I figured it would require just the right factors to make it happen.

Bottom line: I am not worried about it. Sure, I'll look to see whom I am logged in as when I'm on the ship, but I won't let it stop me from using the onboard WiFi.

FWIW, I don't use the free WiFi in port. That's something I definitely don't trust. If I must use it, I use a VPN tunnel.

http://money.msn.com/identity-theft/how-free-wi-fi-can-put-you-at-risk-credit-cards.aspx

Sapper is probably using an iPad.

I think she would be - she did on the our P'dam cruise

It's actually more of a CC security flaw issue than HAL issue. Don't use any password on this site you use for any others.

more good advice. thank you.

I'm pretty sure that you're fine. We just replicated the problem here at the Institute for Cheer. We took two machines, a laptop and an Android phone and was able to make the CC server swap the sessions. It's independent of the HAL network. You can do it on a business LAN or home netwrk that has a single IP address backed by private IPs for the connected machines. It appears to be how CC is seeing the persistent login when devices have the same IP address. (The ship's network assigns a private address to each machine, but the public-facing IP addresses are shared.)

 

I wouldn't worry about it impacting your banking or mail or anything.

Sapper1 has sent me a message (actually this is the second. Sadly, I wasn't 'on' and missed the first one when all this started). If she signs into Cruise Critic she can view any thread on CC as sapper1 except this one. When she comes to this thread that she started she is showing up as another poster:eek::confused:

Apparently she is much wiser than I and always toggles off her wifi after she signs out of the internet.

She is indeed using an Ipad and the other CC poster that she has found is using a netbook.

Sapper1 is reading but nervous to sign in now so I am just the messenger.

Equipment already shut down to rest and stuff and that hasn't rectified the situation totally as you can see from the above.

I quoted POA1 because of the technical stuff. Perhaps he and his Institute of Cheer or sspunk have some thoughts (or anyone else) now that we have this extra information?

thanks to sspunk's post I have already changed my password on cc.

POA1:

Just curious. What was the sequence you had to us to get the crossed CC logins? Has anyone thought to let the Sys Op know of the problem? It seems the vendor of the BBS needs to modify the way the handle "Keep Me Logged In". Just using the IP address is not sufficient, as is shown by this problem.

Does anyone know how to get the at attention of the Sys Op and describe the problem to them?

Greg

POA1:

 

Just curious. What was the sequence you had to us to get the crossed CC logins? Has anyone thought to let the Sys Op know of the problem? It seems the vendor of the BBS needs to modify the way the handle "Keep Me Logged In". Just using the IP address is not sufficient, as is shown by this problem.

 

Does anyone know how to get the at attention of the Sys Op and describe the problem to them?

 

Greg

We forced a "cookie swap" where the cookie from User1 got sent to User2 and vice-versa. It's something that wouldn't normally happen and I don't think it rises to the level of a vulnerability, per se. From what I can see in the page source code, CC is running vBulletin 3.7.3 which is an older version. It's possible that this issue was patched somewhere between 3.7.3 and the current version. However, in CC's defense, it's often a huge hassle when you upgrade the forum software.

We use multiple devices to access CC at the office and at home. We've never run into this problem and it's probably unlikely that it would happen under normal use. We had to force it. It might be easier to do on the ship because of satellite Internet latency (delay).

Sapper1 has a very sharp eye to notice the problem. Most people wouldn't have seen it, especially if it's just in one thread.

As far as fixing the problem on the user's end is concerned, Sapper1 can probably fix it by simply deleting the cookies for Cruise Critic. They'll all be from domains ending in cruisecritic.com. The iPad procedure is here:

http://ipadinsight.com/ipad-tips-tricks/ipad-tips-how-to-delete-cookies-for-individual-websites/

IMPORTANT: Make sure you have your login/pass info if you do this. Your iPad will "forget" your CC info. You ONLY want to delete the cruisecritic.com cookies. Do *NOT* dump everything.

If you use a different browser, FireFox for instance, just do an Internet search on "delete individual cookies from [browsername]" where you replace [browsername] with the name of your browser.

POA1:

It seems the vendor of the BBS needs to modify the way the handle "Keep Me Logged In". Just using the IP address is not sufficient, as is shown by this problem.

Sorry - I meant to address this. The persistent login isn't handled by IP address alone.

POA1:

 

Just curious. What was the sequence you had to us to get the crossed CC logins? Has anyone thought to let the Sys Op know of the problem? It seems the vendor of the BBS needs to modify the way the handle "Keep Me Logged In". Just using the IP address is not sufficient, as is shown by this problem.

 

Does anyone know how to get the at attention of the Sys Op and describe the problem to them?

 

Greg

I bet Host Walt does.

We forced a "cookie swap" where the cookie from User1 got sent to User2 and vice-versa. It's something that wouldn't normally happen and I don't think it rises to the level of a vulnerability, per se. From what I can see in the page source code, CC is running vBulletin 3.7.3 which is an older version. It's possible that this issue was patched somewhere between 3.7.3 and the current version. However, in CC's defense, it's often a huge hassle when you upgrade the forum software.

 

We use multiple devices to access CC at the office and at home. We've never run into this problem and it's probably unlikely that it would happen under normal use. We had to force it. It might be easier to do on the ship because of satellite Internet latency (delay).

 

Sapper1 has a very sharp eye to notice the problem. Most people wouldn't have seen it, especially if it's just in one thread.

 

As far as fixing the problem on the user's end is concerned, Sapper1 can probably fix it by simply deleting the cookies for Cruise Critic. They'll all be from domains ending in cruisecritic.com. The iPad procedure is here:

 

http://ipadinsight.com/ipad-tips-tricks/ipad-tips-how-to-delete-cookies-for-individual-websites/

 

IMPORTANT: Make sure you have your login/pass info if you do this. Your iPad will "forget" your CC info. You ONLY want to delete the cruisecritic.com cookies. Do *NOT* dump everything.

 

If you use a different browser, FireFox for instance, just do an Internet search on "delete individual cookies from [browsername]" where you replace [browsername] with the name of your browser.

A sharp eye indeed Sapper1 has and she had already deleted her cookies which removed the bulk of the problem but this one thread. strange indeed.

A sharp eye indeed Sapper1 has and she had already deleted her cookies which removed the bulk of the problem but this one thread. strange indeed.

Was her browser - I'm assuming Safari - completely shut down during the cookie dump? If not, the cookies tend to stick. If she cleared the cookies with the browser shut down, the page for the thread might be cached. I'm not an iPad user and I'm not sure how long pages stay cached. Since CC pages are generated on the fly, the cache is not where I would expect to see the problem.

If she's using an app and not a browser, the whole thing is messier. You can clear the app cache and app data... But it doesn't scream "vacation" to me. I'd get a drink and just avoid this thread.

But it doesn't scream "vacation" to me. I'd get a drink and just avoid this thread.

You are one geek I'd like to meet -- and buy a drink for! ;)

Was her browser - I'm assuming Safari - completely shut down during the cookie dump? If not, the cookies tend to stick. If she cleared the cookies with the browser shut down, the page for the thread might be cached. I'm not an iPad user and I'm not sure how long pages stay cached. Since CC pages are generated on the fly, the cache is not where I would expect to see the problem.

 

If she's using an app and not a browser, the whole thing is messier. You can clear the app cache and app data... But it doesn't scream "vacation" to me. I'd get a drink and just avoid this thread.

I don't know if she uses Safari or not. I don't on my Ipad because if find that it doesn't work well compared to say, google.

I am sure she found it disconcerting and worrisome as in, what else does this person have access to. I know I would.

But I would also heed your wise advice and get a drink and I hope sapper1 does do.

Btw- POA1, could you do me a favour and email me off board? i'd like to ask you a question that is not pertinent to this thread. My email is in my signature. Thanks if you have time.

Hi

 

Ive asked our tech team to look into this issue. We will update.

Thank you very much Laura. :D

Thanks for the info ..

Thank you very much Laura. :D

Jacqui,

One thing to note is that this is likely device independent; in other words, it can happen with laptops, smart phones running various operating systems.

As POA1 has pointed out, a few things have to happen in a particular sequence for this to happen. As this is the first time it's been reported, you can get the idea how rarely this is encountered.

Jacqui,

 

One thing to note is that this is likely device independent; in other words, it can happen with laptops, smart phones running various operating systems.

 

As POA1 has pointed out, a few things have to happen in a particular sequence for this to happen. As this is the first time it's been reported, you can get the idea how rarely this is encountered.

And being it's extremely likely a board code issue and not a CC issue itself, they can't modify the code needed to close this loophole.

Could you kindly put this last statement in English (for those of us not techie brilliant?) On board, I log out HAL's internet and CC, and yes I take an Ipad.

 

Are you saying to shut down the Ipad everytime? ( I let it sleep sometimes) or is there something else we have to do as power off the wireless adapter????

 

I don't consider myself Ipad adept. It's my travel tool right now. Eventually I will get there but right now even on my lap top, I don't know how to power off my wireless adapter.:o:o[/ENDQUOTE]

 

Hi Jacqui. Turn WIFI --> OFF in your setting before shutting down or "sleeping" then no one can access anything on >>your computer<<.

 

SFO Peter

Could you kindly put this last statement in English (for those of us not techie brilliant?) On board, I log out HAL's internet and CC, and yes I take an Ipad.

 

Are you saying to shut down the Ipad everytime? ( I let it sleep sometimes) or is there something else we have to do as power off the wireless adapter????

 

I don't consider myself Ipad adept. It's my travel tool right now. Eventually I will get there but right now even on my lap top, I don't know how to power off my wireless adapter.:o:o[/ENDQUOTE]

 

Hi Jacqui. Turn WIFI --> OFF in your setting before shutting down or "sleeping" then no one can access anything on >>your computer<<.

 

SFO Peter

 

duhh:o:o I should have figured that out. Thank Peter. My hero to the rescue again:D

I am currently on the Zuiderdam and this is a warning about a security flaw in the new HAL internet system as it pertains to CC.

 

I do not sign out of CC. It has been my habit to tick the "remember me" box. I keep a CC icon on my iPad desktop and just click on that to connect to CC.

 

Today when I clicked on the icon, I was signed into CC as another CC member who is also on the ship. I immediately went looking for this member and when I found her, she opened her CC page and found she was signed on as me. The ship's system had criss crossed our CC accounts. If it had been a flaw in CC security it is doubtful the mix up would have involved someone also on the ship.

 

We have both logged out and unchecked the "remember me" boxes in the hope that will prevent the issue from arising again.

 

I would like to ask that if anyone sees a post in the next few weeks that does not really sound like me I would appreciate it being brought to my attention. A person intent on causing trouble could really do a lot of harm if they were signed into another's account.

Did you ever share your password or device with your un-named friend?

Did you ever share your password or device with your un-named friend?

As previously posted, sapper1 is not posting on this thread - so I am the messenger so to speak.

sapper1 has NEVER shared her device nor her password with anyone.

She never would. She is extremely security conscious and very cautious.

However, she has confirmed as much to me.

I'm a bit puzzled what you mean by 'un-named friend'? Sapper1 reported a different cruise critic member who was on that cruise. That doesn't necessarily make that a person a friend - possibly an acquaintance assuming they were at the meet and greet - but not a friend :confused: