Related

One account can access the other's even if logged out

Youdontwannaknow
10 days ago

Scenario:

User A logs in to connect.garmin.com on the web. Enables "remember me" in the login screen. Logs out.

User B logs in to connect.garmin.com on the web. Goes to Profile and Account (top right corner) --> Account  Settings --> Account Information --> Change email.

Now the scary part: User B suddenly can see User A's email and is able to change it!

A and B are my wife and me, so no worries, but this scenario should not be possible, right?

  • 0 8 days ago in reply to FlowState

    Thank for everyone's contribution.

    I have raised a support ticket with Garmin. The issue is pretty easy to reproduce, and I guess that they are better equipped to examine the issue further. I would find it strange if Garmin would be indifferent to any potential security issues.

  • 0 8 days ago in reply to Youdontwannaknow

    The real issue here is that a logout in Garmin Connect Web doesn't log you out of your Garmin account so you have to make sure to logout from both sites to be logged out.

    If you are logged out of both you will be logged in to both when you login to one. So, it is working differently when you login from when you logout.

  • 0 6 days ago in reply to e7andy

    Yeah, this is exactly it.

    The problem is that there are two sites involved here: connect.garmin.com (for Connect) and www.garmin.com (for changing your email, and they don't work together quite right (imo). As e7andy said, they have separate login states. Logging out of one site won't log you out of both sites. That combined with the fact that clicking on the Change Email link in Connect will implicitly log you into www.garmin.com leads to the situation observed by OP.

    After e7andy's hint, I found a way to recreate the problem:

    1) Close your browser completely, then open a new incognito window in the same browser. This will ensure you don't have any leftover session state

    2) Log into connect.garmin.com with User A

    3) Select profile pic (upper right hand corner) > Account Information. Note that the read-only email displayed here (and all other information in Connect) is correct for User A

    4) Click on Change Email. This opens your Garmin account details page (https://www.garmin.com/en-CA/account/profile/) in a new tab. (Since you are not currently logged into www.garmin.com previously, you're automatically logged in as User A)

    User A's name and email address should be correctly displayed here. Do not log out of this page (you can close the tab or leave it open, doesn't matter which).

    5) Go back to the connect.garmin.com tab and log out of Connect.

    6) Log back into Connect as User B.

    7) Select Account Information as before and verify User B's email address is displayed properly on this page

    8) Click Change Email. This will open the Garmin account details page for User A. This is because User A is still logged into www.garmin.com. I can definitely see how this could be perceived as a bug or unexpected behavior,

    So the key here is you simply have to click the Change Email link in the Connect website as 2 different users, without explicitly logging out of www.garmin.com in between the 2 clicks.

    This really does seem to be a bit of a bug, or at the very least, less than ideal behavior. Clicking on the Change Email link in Connect implicitly logs you into www.garmin.com as the Connect user, but only when you're not already logged into www.garmin.com. When you're already logged into www.garmin.com, clicking on the Change Email link does not cause your www.garmin.com session to switch to the Connect user, but I think it should.

    The big problem here is that in this specific use case, the user did not explicitly log into www.garmin.com, it happened implicitly, due to an action they performed on connect.garmin.com. Therefore, they have no reason to believe that it's necessary for them to explicitly log out of www.garmin.com.

    This is almost the inverse of the sort-of-problem where logging into Connect can silently change the user you're logged in with on the Garmin forums site.

    Clearly this stuff hasn't been tested with multiple users in the same browser at all.

  • 0 6 days ago in reply to FlowState
    FlowState said:
    As e7andy said, they have separate login states. Logging out of one site won't log you out of both sites.

    Strange, when I log out from GC, it logs me out from other Garmin websites too. I tested it with Chrome, Edge, Opera, and FireFox. I am always logged out from everywhere. And I do use multiple accounts on the same browser.

  • 0 6 days ago in reply to trux

    Do you have 2FA enabled? I don't.

    I can recreate this on Chrome, Firefox, Brave and Safari on macOS. On Windows, I tried Firefox and Edge. I'm fairly certain the behavior is not browser-specific. No, I don't save my account credentials in the browser or use autofill, either. I tested both with incognito and normal browser windows (not for every browser, but for enough browsers that I don't think it's a factor). I also never enable Remember Me on the Connect login page.

    I didn't bother to try iOS, but I assume it will have the same problem (for me).

    EDIT: same thing happens in Safari on iOS (iPhone).

  • 0 6 days ago in reply to FlowState
    FlowState said:
    Do you have 2FA enabled?

    No

    FlowState said:
    I also never enable Remember Me on the Connect login page.

    I usually do, but it does not make any difference

    I am on Windows, no Incognito Mode

  • 0 6 days ago in reply to trux

    Did you follow the exact recreation procedure I posted (obviously not, since you didn't use incognito mode like I suggested)? If not, did you test with www.garmin.com?

    If you must test without incognito mode, obviously before you follow my recreation procedure (if you're willing to do so), ensure you're logged out of both connect.garmin.com and www.garmin.com.

  • 0 6 days ago in reply to trux
    trux said:
    I usually do, but it does not make any difference

    I don't think it makes a difference either, but I mentioned it because:

    - OP mentioned it

    - to preemptively address any possible suggestion that enabling it would cause the observed behavior (see: browser autofill / saved passwords)

  • 0 6 days ago in reply to FlowState
    FlowState said:
    If not, did you test with www.garmin.com?

    When I log out from connect.garmin.com and then go to the profile on www.garmin.com, I am signed out and have to enter the email address and the password again, and then always land in the right account. And it happens regardless whether I use normal or Incognito Mode (just tested with the Incognito mode to be sure, though I had no doubts about it)

  • 0 6 days ago in reply to trux

    When I log out from connect.garmin.com and then go to the profile on www.garmin.com, I am signed out and have to enter the email address and the password again, and then always land in the right account.

    Right, so you didn't follow my instructions or understand my bolded point.

    So the key here is you simply have to click the Change Email link in the Connect website as 2 different users, without explicitly logging out of www.garmin.com in between the 2 clicks.

    Nowhere in my instructions did I ever say to explicitly navigate to to www.garmin.com after logging out of connect.garmin.com.

    The problem only occurs when you use the Change Email link in Connect. It does not happen if you manually navigate to www.garmin.com or even [https://www.garmin.com/en-CA/account/profile/]

    Here's the recreation procedure again:

    1. Log out of all *.garmin.com sites. (Do whatever you need to do to verify you're logged out. Personally I would start a new incognito session, but it's up to you.)
    2. Log into connect.garmin.com as User A
    3. Click on Account Information > Change Email. This will open [https://www.garmin.com/en-CA/account/profile/] in a new tab, implicitly logged in as User A. Go ahead and close the tab since it doesn't mater
    4. Log out of connect.garmin.com.
    5. Log into connect.garmin.com as User B
    6. Click on Account Information > Change Email. This will open [https://www.garmin.com/en-CA/account/profile/] in a new tab, but you'll still be logged in as User A

    So yeah, as you noted, logging out of connect.garmin.com will apparently log you out of www.garmin.com. But this is only true for the purposes of manual navigation to www.garmin.com (*). It is not true when the Change Email link is clicked in Connect and www.garmin.com is automatically opened for you. This should make it even more clear that this is a bug.

    (* To be fair, I did not bother to check this case, since it's not relevant to the OP. But I should have, for completeness.)

    In fact, the leftover www.garmin.com login credentials persist even after you explicitly visit www.garmin.com and see the login page (without actually logging in).

    You could insert the following step in the above procedure and the problem would still happen:

    4.5. Visit https://www.garmin.com and note that you are apparently no longer logged in as User A. If the log in page isn't displayed, go ahead and click on the user profile icon to navigate to the log in page. (This should be sufficient to demonstrate you're apparently not logged in.) Do not log in.

    As a side note, it's very annoying that the login page is forcibly displayed for certain garmin sites that are normally login-free, but only under certain circumstances (like when you're logged in to another garmin site)

    For example, I can normally browse the forums without logging in, but as soon as I log into Connect, I also have to log into the forums. I also consider this to be a bug, especially since when I'm already logged into the forums, if I log into Connect as a different user, it will change the forum user as well. This is almost the inverse of the OP's problem.