I'm not sure what else to call it, so I'm calling this post "TypePad Security Flaw". While working with a customer this flaw was discovered.

Here's the scenario

  • Many customers give me their TypePad logins while others change the login (password) temporarily to allow me access for the day, for example, and then change it back (to their "real" password) when I'm finished.
  • I was logged into TypePad under the login and password A.
  • I did some work and left myself logged in as I had more work to continue later on.
  • However the user reset the password back to B. Where if I opened a new browser (since I use a few different browsers, say FireFox and Safari for the Mac) and attempted to login with password A, I could not get in.
  • However, I am still logged into TypePad on the original browser and still under password A.
  • FLAW:  I can still work on the blog and make changes even through the password has been changed.
  • FLAW:  I can still continue to work even after refreshing the page, going to other areas of the blog.  I am literally still logged in and continue to work even though the password has been changed. So basically the account is literally able to be worked on under two logins until I log out of TypePad (where I was using password A).
  • Of course I simply logged out but feel I should not have been allowed to continue to work once the page was refreshed and that TypePad should have flagged the password was changed and forced me to re-login. 
  • SOLUTION: Seems to be missing a session timeout, similar to what PayPal has if you leave the application idle (not used) for x-amount of time. TypePad should be implement this (session timeout) to prevent a situation like this or similar case.

Anyway, I considered this a "flaw" so that's why I wanted to bring it to your attention. Don't get me wrong, my Blogs By Heather blog, this blog, is a TypePad blog, I'm on the TypePad Experts page, and enjoy using TypePad and it's many popular features!  I just found this surprising and wanted to share it with you.

Happy Blogging!

Heather Wright-Porto
www.BlogsByHeather.com 

Pin It on Pinterest