UPDATE: Diverse Solutions IDX Security Issue

Back on February first I wrote a post about a security issue we found with the Diverse Solutions Control Panel.  Since then there have been a few changes to the system, and as I’m sure you’re aware, many more on the way.

Yesterday, I received a call from Jonathan Mabe at DS.  We talked at length about the issue and its pending resolution, but the reason for this post is to let you know that Diverse Solutions (Zillow) has been working on resolving the issue.

The first thing they’ve done (which you’ll notice at the bottom of the Control Panel login window) is made the cookie life 24 hours, meaning that the control panel will only remember you for 24 hours.  It also means that anyone you’ve granted access to will only be remembered for 24 hours.  So if you change your password, anyone still logged in or remembered by the system will only have access for 24 hours.  Now this was on a sliding expiration, meaning that every time you logged in within the initial 24 hour period, the clock would be reset, but this is no longer the case. (Yay!)

This is a fantastic first step and I’m very thankful to Jonathan for not only addressing the issue, but also for contacting us to fill us in.  As developers, we were very concerned for our clients, but what was of greater concern to us was the liability.  In short, if we can’t be locked out, we can be blamed for just about anything and no one wants that.

There are still issues:  Password changes don’t immediately reset sessions, but these too are going to be fixed.  Had the current solutions been in place, my client never would have been hacked.  The fixes, as they stand today, are enough to greatly reduce the possibility of any malicious activities on your accounts, so you can rest a little easier knowing that Diverse Solutions is making good on their promise.

Anyways, Just thought you should know.
Here’s to better days ahead.  🙂

Related Posts:

  • No Related Posts

There are no comments yet. Be the first and leave a response!

Leave a Reply

Wanting to leave an <em>phasis on your comment?