Related

One account can access the other's even if logged out

Youdontwannaknow
10 days ago

Scenario:

User A logs in to connect.garmin.com on the web. Enables "remember me" in the login screen. Logs out.

User B logs in to connect.garmin.com on the web. Goes to Profile and Account (top right corner) --> Account  Settings --> Account Information --> Change email.

Now the scary part: User B suddenly can see User A's email and is able to change it!

A and B are my wife and me, so no worries, but this scenario should not be possible, right?

  • 0 10 days ago in reply to FlowState

    So as you may have guessed, I do have separate logins for Connect and the forums, and the problem I described above has caused issues in the past.

    I get around this by using separate browsers for Connect and the forums (or by using Incognito for the forums and regular tabs for Connect).

  • 0 10 days ago in reply to Youdontwannaknow

    Can you create a brand new Connect account and test the same flow?

  • 0 10 days ago in reply to Youdontwannaknow
    Youdontwannaknow said:
    I am sure you can reproduce this issue if you have more than one accout.

    I do have three different GC accounts. I am logged as user A in Garmin Connect. I sign out. When I open Garmin Account web, I get a blank sign-in page, with no email address prefilled (automated filling of login forms disabled in my browser). I sign in as user B, and go to change my email address. The correct address of the user B is shown. No surprise there.

    Make sure to disable the automatic prefilling of passwords and login credentials in your browser:

    /resized-image/__size/320x240/__key/communityserver-discussions-components-files/92/pastedimage1731591553339v1.png

  • 0 10 days ago in reply to trux

    Don't you think OP would've noticed if the wrong email address was prefilled on the login page?

    The premise of this thread is that User B believes they have logged in as User B. Shouldn't they be given the benefit of the doubt until proven otherwise?

  • 0 10 days ago in reply to FlowState

    I have no idea, but would test disabling the password prefilling anyway. Some browsers may sign you in automatically without prompting you, so you won't see the wrong address was used.

  • 0 10 days ago in reply to FlowState

    I'll also point out that the menu which opens when you click on your profile pic in Connect literally shows your username, so even if both User A and User B have generic profile pics, it's hard to see how User B could mistakenly believe they were logged in as User B, but was in fact logged in as User A. If they had actually logged in as User A, it would be immediately apparent as soon as they click on their profile pic.

    Alternatively, if User A and User B have different profile pics, it would be obvious who's logged in, immediately after they've logging in.

    Is it still possible that User B actually logged in as User A, while mistakenly thinking they were logged in as User B? Sure, but again, I'd like to give OP the benefit of the doubt.

  • 0 10 days ago in reply to FlowState

    I would still test disabling the browser settings first. The browser may be also prefilling the email field on the change form. If disabling the options shows up not to help, then I recommend replicating it while recording a screen video which shows the entire process, and then report it to Garmin, sending them the video as proof. Preferably through their Security Issue form at https://www.garmin.com/en-US/legal/security/ - there is a higher chance it gets reviewed by the right team.

  • 0 9 days ago in reply to trux

    > The browser may be also prefilling the email field on the change form.

    That would be a bug in the Connect site then. Clearly the site should prevent prefilling of any fields which represent existing user settings. In any case, if a field already has a value, the browser typically should not be auto-filling it. But if there's any chance that auto-filling should happen inappropriately, the site should be coded to avoid it. As a somewhat related (yet different) example, a form which allows an administrative user to add *other* users should not prefill a normally blank "Username" field with the name of the logged-in administrative user itself. That would be a bug, and you can't blame it on the browser. The application vendor is supposed to work within the confines of popular browser behavior.

    Yes, I realize this is a hard problem in some cases - there are stackoverflow questions with years of replies on how to do this in some situations with Chrome - but it still needs to be done.

    Furthermore, the email address is not just displayed on the form itself, but it's also displayed above the link which opens the Change Email form. I assume that the OP can see both instances of the email address. If the email address displayed above the "Change Email" link was different than the email address displayed in the form itself, I would assume OP would've noticed and mentioned it.

    As a matter of fact, I think it's impossible [or very unlikely] for the browser to prefill the email address at all. Here's all the different places that the email address is displayed:

    Post continued on pastebin: https://pastebin.com/RhM4i0iJ

  • 0 9 days ago in reply to FlowState

    I do think that a video demonstrating the problem would the best way to convince Garmin that there is a problem. Too bad there isn't really an easy way to post such a video here, while redacting personal information.

    I guess OP could create 2 accounts with fake names and fake email address in order to demonstrate the problem with a video, but that would be asking a lot.