I think I have it figured out.
One of the user’s of the system noted that when it happened to her she was always clicking the link to the “Portal” from the company public website.
I inspected the link, and it seems when they gave the link to the portal to the person doing the company site, they included a CFID= parameter.
And so whenever someone associated with the company used the link from the site , it would log them in as someone else.
I could never reproduce it on my end because I would never link from the main website. I just have the link to the portal bookmarked with no CFID.
As soon as I went to the main website and clicked the link I was logged in as someone else. It seemed to reliably log me in as the last person who logged in.
That is an extremely odd coincidence I think, and points to a flaw in how Lucee is generating CFIDs.
Because, the hard-coded CFID in the link on the website. Was reliably logging people in to the last person who was logged in before them. How could this happen? Those IDs are supposed to be very random.
According to this finding, we can enable CFID URL Params in an app, then log in to that app, and snatch a CFID, and save it. Then re-use it over and over and get logged in as other people.
This part doesn’t make sense and I’m hoping someone can test this proof of concept.
Stephen