Zoho users logging into other accounts by accident

Zoho users beware. There appears to be a nasty bug whereby a user logs in with their own credentials, but finds themselves logged into another user’s account:

I have the last couple of weeks experienced that I get logged on into another account that I do not know!
I can see the other account documents. Just a few minutes ago I tried to use my own logon but was logged in to the account of <…>

says a user on the Zoho forums.

Zoho says it is fixing this urgently:

We have analyzed the logs and found some race conditions that could happen under high load. We have a fix in, and are continuing to monitor it very closely. We have also launched a complete review of security, so that this type of issue does not recur. We are taking it very seriously and apologize profusely.

Food for thought nonetheless. This is the kind of reason people cite for sticking with on-premise applications. I argue that data is often safer in the cloud, but this kind of incident makes you wonder.

Technorati tags: , ,

2 thoughts on “Zoho users logging into other accounts by accident”

  1. Tim, We had a software race condition in a common underlying framework that caused this. We detected it, and by then up to 12 users were impacted. We take this very seriously, and we immediately took down the servers. We put in a patch, and have 2 engineering teams working on it round the clock to ensure that it will not recur.

    We understand that our entire business is based on the user’s trust, and we are taking it very seriously.


Comments are closed.