Getting logged in to other accounts

so 8 months ago we had a problem where some people got access to other people's accounts . these posts . <a href="https://app.roll20.net/forum/permalink/3966825/" rel="nofollow">https://app.roll20.net/forum/permalink/3966825/</a> <a href="https://app.roll20.net/forum/post/3940994/got-logg" rel="nofollow">https://app.roll20.net/forum/post/3940994/got-logg</a>... it have been solved . and did not encounter any trouble for it . but now it started to happen again . and got access to other acounts again .&nbsp;

Roll20 is served via HTTPS, meaning that it is statistically impossible for you to be served someone else's cookie. That data is encrypted. The transmission was signed by us and signed by you, and encrypted so that only our servers and your computer can decode the information sent afterward. So that even though it passes through 12 or more servers on the path from us to you, none of them should be able to read the data, including your cookie or anyone else's. Our best guess as to what's happening is that you're the victim of a man-in-the-middle attack. This would mean users have had their secure communication hijacked and decrypted, probably because they were compromised from the beginning. The results of the decrypted information are then cached, because this process is expensive to do. That cached information is then served up instead of the authentic request from Roll20 when you attempt to log in. They have a cached result of app.roll20.net/ that was decrypted, including another users cookie and login, and that's what you are receiving. In the past the rare times we've seen this issue have either been because the users were using the same VPN and IP address or the users were all in the same country using the same (usually the only government available) ISP. The countries where we've seen this happen are Egypt, Turkey, Iran, and Syria. The most recent batch of people affected have all been located in Egypt using TE Data as their ISP. Is that the same for you?

DING DING DING DING . You are correct sir . Now . How do we fix this . keep in mind that roll20 is the only site that do this&nbsp;

I can promise you that this is happening on almost every site you go to. The man-in-the-middle-attack you're experiencing just happens to be visible to you on Roll20 because they've cached a page no legitimate service would. I recommend you investigate your countries policy on deep packet sniffing. As a work around, try logging out of Roll20 whenever you're done using the site. This will prevent anyone from accidentally being logged in as you when they're served your cached information. It won't however protect you if you're currently logged in and using Roll20.

but this only happens with roll20 . I dont log into another person twitter or facebook randomly !!!

HaLwAsA said: but this only happens with roll20 . I dont log into another person twitter or facebook randomly !!! But it isn't. The problem is happening with probably every site you visit. You're only noticing a symptom of the problem (being logged in as someone else), because the man-in-the-middle attacker is caching app.roll20.net despite our clear instructions not to and sending you the wrong results. Either the attacker is smarter about passing along cached info from the more popular sites, or those companies have a method of detecting the account as a special security concern and logging them out. I'm curious, do you have to log-in to those other sites every time you use them, or does it succesfully remember you and leave you logged in for weeks at a time?

never been logged out from any site . and yesterday I was in mid game the webpage refreshed into another person game in another account .... and people have access to the email and that is not cool bro not cool .

Do you think you could private message me the results when you visit this address: app.roll20.net/cdn-cgi/trace

done