Cloud Based Application: Logs in as you - What would you do?

rolando3321rolando3321 Member Posts: 36 ■■□□□□□□□□
I won't say the name of the company, but we have a cloud based inventory and ticket system. (I think they are small)

They always have bugs and I submit tickets to get them resolved. Well this time they asked for my password and of course I said no. I asked a co-worker if they were experiencing the same issue and they were. I knew the bug was not account related, yet they still insisted on logging on as me to see the issue. I had already submitted a screenshot and then went on to send several screenshots to show the 3 simple steps to get to the error.

At this point they came back and said, "oh we see the bug and will fix it in a few days"

Well they admitted that they logged in as me and they didn't think anything of it. Take the fact that this bug was not related to just my account. The fact is.... at the end of the day they logged in as me, without resetting my password. They should have just reset my password and logged in as my account with the change password flag set.

So this company could go into anyone's account and get their password (a reality that probably exist more than what people would think) I use different passwords so it doesn't compromise myself, but I know there are many people who are not IT or security focused. There are many risk with this situation. The truth is my company and various stakeholders won't do anything because that is how they are.

I was curious to what you guys would do in this situation, if anything?

Comments

  • DoubleNNsDoubleNNs Member Posts: 2,015 ■■■■■□□□□□
    In *nix, I can "assume" any user I want to if I have root privy. I however, don't need to know your password to do this. I see nothing wrong with this and there are logs that show user switches, tho it can be hard to audit in a busy multi-user env.

    They never should have asked you for your password tho. This is a huge no-no.
    If they logged in as you w/o needing your password, that's fine. But they shouldn't have needed to ask you for your password first if they had this ability. If the company keeps your plaintext passwords (AND uses them) you should push to immediately stop using them.
    Goals for 2018:
    Certs: RHCSA, LFCS: Ubuntu, CNCF CKA, CNCF CKAD | AWS Certified DevOps Engineer, AWS Solutions Architect Pro, AWS Certified Security Specialist, GCP Professional Cloud Architect
    Learn: Terraform, Kubernetes, Prometheus & Golang | Improve: Docker, Python Programming
    To-do | In Progress | Completed
  • rolando3321rolando3321 Member Posts: 36 ■■□□□□□□□□
    Thanks double!
    You gave me your input on the few things that I was left wondering.

    - Your thought of it being okay
    - Logging in w/o password is okay
    - and where the situation would go to far (plain text password)

    I can work with that and know how far to push the situation (once I get more information about how they are handling the data)
  • TechGuru80TechGuru80 Member Posts: 1,539 ■■■■■■□□□□
    What does your SLA say?

    Honestly, if somebody can directly login as somebody else without some kind of correlation to who did it, that actually can be a huge issue. I would let your security team know incase there is an issue...not really up to you to decide.

    This kind of issue can really be iffy depending on what information goes into the system...regulated information like PHI or financial information and you could have legal issues. Hopefully it’s clearly laid out in an SLA like it should be, but again just let your security team know.
  • rolando3321rolando3321 Member Posts: 36 ■■□□□□□□□□
    Yeah.... I work as a contractor on a long term project. We manage a wireless p2p network and mainly handle layer 2 stuff. Of our IT staff, we have 3 techs (I am one of them) we have a lead and a systems guy; I'm the only one that has a discipline in IT. The others can get the job done well enough to make the system work that is in place. They can't see the big picture or lack the knowledge of knowing what MAC addresses do and why it was so bad when I discovered duplicate MACs on the same subnet from a vendor's product; who they choose not to inquire them about. As you can guess this includes security issues like this and the severity of it.

    As I mentioned before, the client, nor my PM who works for my company doesn't get it either (we are the prime contractor and I'm the only IT guy on it. The other IT guys are on as a sub but we work well together). I try to address issues, but I have to maintain the work of my position. In addition, I try and do handle the many issues that come up regarding things like security, network design flaws, or troubleshooting issues that some others can't resolve. As someone who is striving to reach a higher level of networking it has given me some opportunities to grow, but my company who focuses in another field doesn't see it. I also don't have anyone to guide me as a mentor, so I have to go off of what I have learned from studying for my certifications. Sorry for the little rant but it was nice to vent.

    This was a situation where I knew there was a lot of wrong things unfolding, but had a hard time knowing how far to take the situation (got to keep my company and the client happy!) This is where I greatly appreciate everyone's feedback.

    Ironically they keep preaching security and then when this happens they don't think anything of it. /sigh
Sign In or Register to comment.