Security/privacy issue: last task of previously logged-in user stays visible

[digital-carver]

I had previously created an account several weeks back, created a couple of projects, then hadn't used Pendulums for a while.

Today, I opened the website again, and was prompted to login/signup. Not remembering that I'd already created an account, I signed up for a new account with a different email address. When I verified that address and logged into Pendulums, I was surprised to see that one of my personal projects' name was already shown on the top. Because of this, I opened a different browser and tried logging in to Pendulums with my old email address, just in case. As I suspected, it was listed among the Projects there - I had created that project in my previous account with Pendulums. Somehow that seems to have been persisted in the browser despite me getting logged out of that account, and hence was shown in my new account.

The project was not shown in the Projects list in the new account, and clicking on the project name in the top right did not open a dropdown - so it only reveals the last active project's name, not any other info afaict. In my case, this is not much of an issue, but it should be clear how this could be a big privacy issue in a shared computer or people using from Internet cafes.

This is in the latest Firefox. And in case it matters, the email IDs of both accounts had the same username part (i.e. old account was created with <myusername>@oldmailhost.com and new account with <myusername>@newmailhost.com).

[mohammadrafigh]

WOW! weird! thanks for reporting this. I think the problem is related to client caching mechanism; "Pendulums" stores user data on client to allow using Pendulums when there is no internet connection and sync data later. We tried your case. I should mention that if you sign out manually this issue won't happen because we clear local data on sign out. But when your session is expired and the backend says you should sign in again we don't clear your local data, So if you have offline data and sign in to the same account again this behavior prevents losing your un-synced data; But if you sign in with a different account: oops! We should allow client to keep multiple offline records for different accounts. We can do this by a local database migration and for better privacy in public areas we should also encrypt locally stored data.

So as a conclusion: This issue only happens if the server decides the user should be signed out for some reason (token expiry etc.) and the user signs in with a different account.

Thanks for reporting this issue we will put it in our planning stack.