Rare, but serious security problem: seeing others' e-mail

[litlfrog]

We're currently using release 0.2b, but have been using 0.2a for a while. A few times in the last six months, we've had customers call in to say that when they open RoundCube from our webpage to check their e-mail, they're not taken to a login screen or to their e-mail--they see someone else's e-mail. That's a serious problem. Has anyone else seen this happen before? Whether or no, is there somewhere we can look to make changes? Thanks.

[rosali]

I'm quite sure the scenario happens if a user does not log out.

Check the following:
#1- login
#2- go within the same browser window to (f.e.) Google
#3- now go in the same window to RoundCube again ...

You are not prompted with login screen ..., Right?

[litlfrog]

Well, sure. In that case, you see your e-mail right away because the browser presumably saves a cookie and takes you directly back to the mail. I'm speaking of someone on a different computer, in a different state, opening RoundCube and immediately seeing the e-mail of a different customer.

[rosali]

And you are sure that on that different computer no one before logged into RoundCube leaving a browser window open?

[litlfrog]

No, I don't know that at all. Let's say customer A in Albuquerque reads his mail, then navigates to Google in that same browser window. Customer B in Bakersfield clicks the RoundCube link from our website and sees Customer A's e-mail. As I said, it's only happened a couple of times.

My apologies for not knowing much about the software; I'm just starting to learn. I'm not the sysadmin, I'm just the one at the company who has the time to look into this right now.

[dano]

And what if they have Roundcube bookmarked, does it still happen then?  Maybe look into the code for the link on your webpage?

I've been using RC for well over a year with multiple users on multiple domains and haven't seen anything like this.

If it is what Rosali is thinking you could try turning down the session lifetime in config/main.inc.php

Code Select Expand

// session lifetime in minutes
$rcmail_config['session_lifetime'] = 10;