I report a very important issue to investigate, when I go to my Profile page, sometimes I can see other users profiles.
The link is: Profile - Age of Empires
First time I saw this:
I am seeing another user’s profile with his email and his xbox+steam tags.
I tried after 5 minutes and it seemed ok.
Waited another 5 minutes or so, went to profile again, and I see yet another user info:
If needed, I will try to provide video proof, it is hard to test because it doesnt happen always, I think it might happen more often when logging out and then logging in again.
Also, depending on where I am in the Age of Empires website, it looks like I am not signed in (I see the link “Sign in” on the top right) while I am signed in on other parts of the site.
EDIT:
After some hours, I tried again and I can confirm it is very random, it doesn’t make much sense which makes it hard to debug, but I really think it has something to do with the Microsoft Login and the Session Management.
These look like SHA-256 encrypted strings, but only for the username part of the email, while the domain is in plain text.
2 Likes
Could someone in support please take a look at this. This definitely is a problem
1 Like
Thanks for calling it out. There was an issue with a broken caching rule that was causing this and it was corrected earlier. You should no longer see this.
3 Likes
I wonder how long this was going on? Not a very comforting thread.
Could our profiles and info within be completely hash-tag encrypted (username ‘and’ domain), or a more secure hand-shake be required between profile and user login, or encryption between user login credentials and profile, etc.?
Someone logging in with Profile A credentials should never, ever see Profile B’s account info, as Profile B should be stored under completely separate credentials in a secure area of the table never accessible by anyone logging into Profile A or any other non-B profile; even if there’s a cache issue. If there’s a caching issue that somehow caused this, Profile B should look like gibberish to anyone viewing it with non-B credentials. And if that’s not currently how it goes, then whose to say that another broken caching rule won’t result in the same issue?
There have been a handful of times where it’s impossible to log into the forum from PC; so server/system errors seem to occur on occasion. That’s different and, as far as I know, unrelated to this particular issue – but could the ‘broken caching rule’ issue just as easily come back around someday?
The profile page also has age and gender information; which I don’t know, but I doubt was encrypted? The OP author would probably know
The page was not displaying every information, just some of them, but they were not encrypted. It is normal tho, because you usually don’t encrypt that kind of data, and tbh I think it was really a stupid bug which was even hard to test/find, I found it only by pure coincidence. It may have happened to other users too before, but they didn’t report it. It could be linked to the “new” website they made, maybe.
It is clear to me that there are some logins issues because sometimes I can’t login or it says im not logged in, I can imagine it is not so easy to manage because you have the Microsoft login with its session (oauth I think), the website login with its own other session, and the forum login with yet another session, and I can guess it is hard to keep everything under control.
But well anyway they are looking for a front end developer hehe: Senior Front End Web Developer in Redmond, Washington, United States | Engineering at Microsoft
2 Likes
The security of the login process wasn’t the issue here, it’s that the resulting rendered page got cached so then eartahhj saw that cached version of the page. They weren’t actually logged on as the user or anything.
That said, I’m definitely prioritizing finding options to both avoid this as a possibility in the future and to see if we can improve/simplify the login process all together.
1 Like
Thanks DodoNotDoDo! I guess I don’t claim to completely follow the issue or cause, but it seemed like they were somehow viewing private data of others (at least email addresses), which seemed odd (i.e., a security glitch).
Either way, it sounds like you’re on it, so, much appreciated! Thanks again and good luck 
1 Like
