4 Replies Latest reply: Jun 15, 2013 3:03 PM by Qwelldrin RSS

    MAJOR SECURITY ISSUE

    slingplayerweav

      All,

      I am a long-time Slingbox customer who recently upgraded from a Classic to a Slingbox 350.

       

      ISSUE:

      Password reset/changes DO NOT force already logged in/cached devices to enter the NEW password.

       

      EXPLANATION:

      Example: you use your Slingbox on a shared computer; Computer A.  Your username and password is cached on Computer A.

      You then decide you do NOT want that shared computer accessing your Slingbox account.  On another computer, Computer B, you change the password of your Slingbox account.  The issue is that Computer A can STILL access your Slingbox even though the password is changed.  The same is true for mobile devices.  If you change the password of your account, mobile devices logged in using the OLD password are fully-functional without using the new password.

       

      ACTION:

      I contacted Slingbox support last night and the agent was very friendly but acknowledged she had no way posting a security concern.

      Case #00723946.

      Her advice was never to use Slingbox on a device that is shared and the user MUST logoff.  If you accidently do NOT logoff, you have to reset your Slingbox and create a NEW Slingbox account.  I explained this solution was unacceptabe to place the responsibility on the user.  When you change the password on your Gmail account, for example, it forces all other devices (even if they have cached credentials) to reenter the new password before logging in.

       

      Maybe I am missing something obvious or this is a known issue but this is a significant concern.

      Thanks.