Just like the title says

• I awoke this morning to find a “new” user in an app I’m working on
  - Which is odd, because it’s a secure app and I didn’t add any new users into the mix.
• After some quick investigation, I find out this was someone that was approved - but logging in using a different email
• The email they used to log in IS NOT approved to use the app (aka: not on the user list of emails)
• Yet they were able to:
  • Fully log in
  • Create a bunch of new records
  • Kick off automations

None of which should have happened, because the email they used to access the system ISN’T on the access list.

Check your security

SAME!

In my case the situation was specific to an already authorized user, they were logging in with a different email - but they were already logged into the original account on the device.

So there was likely some sort of conflicting element there that confused the system, but it was for somebody that already had access.

I was not able to access an app through an account that does not have any other associated account with access… If that made any sense. Lol

I was able to view all the apps that is not even shared with me but from an email I used in company I have resigned. I do not even have access to that company email.

The email was logged in from this browser but I was using my personal email to login and edit applications.

I found this bug a few months back and It just dissapeared.

Can you clarify if the user you found was one of your existing users but with a different address?

Exactly, same as Matt. An authorized user with another email that was not authorized.

This may be a cache thing or similar, Idk

Both emails were from the same user, one email was approved - the one they used was not.

Any comments on this? Still makes no sense and seems like a BIG security risk.

We had a meeting the other day and the client was able to login using the unauthorized (not in the user list) email in incognito mode with no problems at all.

I also was able to do something similar with two different accounts of mine.

By early testing, for some reason, seems related to when you share access between accounts to different storage providers. Like connecting your OneDrive to a Google account in AppSheet, then your Microsoft account would have access magically

Attn @lizlynch @Arthur_Rallu @zito @benhare

The same thing happened to me today. An employee somehow logged in with her personal gmail account instead of her work domain account. The app is only shared to her work account!

This is a recent change, because a few months ago she has had trouble logging in, until I pointed out to her that she was using the wrong browser window…

Update: Appsheet support pointed out to me that if I look at the audit records, the signed in user was in fact the work account. Yet the USEREMAIL() expression was picking up her gmail account. This seems to be more of a bug in the USEREMAIL() than in the security of the app.

This doesn’t seem to be related to the problems which @SkrOYC had before, since I verified that in my case an unauthorized user still can’t access the app.

@MultiTech I’m sure you have a column that stores the user email. Whats does it store? The approved email or the non approved?

In my case both, depending the one the user has logged in

This was about 3 months ago, I don’t much remember…

Overall the “user” or “person” was approved, but the specific email they used to login and do things was NOT on the approved list.

I haven’t seen this since, fyi.

Well, I just saw this again, even in the editor!

Yes, you hear me right.
@MultiTech The Insiders thing popped-up in my Outlook, but guess which account of mine is the one that has access…

I kept an eye on this thread, thank you all for feeding it.

I ran a test with another thing, I would suspect a Google Chrome glitch with AppSheet.

The scenario, easily reproducible:

1. Sign in with your usual account

2. Sign out

3. Sign in with another account

4. you will notice you are redirected and then logged with the first one

@Arthur_Rallu did someone reported this issue?

@MultiTech @SkrOYC @Fabian_Weller @Jonathon @EliK do you experience the same?

EDIT:

About the 4th point, this is OK when using separated sessions with Google Chrome.

However: I use a password manager for accessing an admin account. But it can’t be used because of this issue. I’m using Dashlane.

The scenario:

1. Sign to Dashlane using my personal account

2. trying steps above

3. can’t connect to the admin account because of redirection

EDIT2:

I think this situation is not new. The situation with the “redirection over second account logged” was already existing one year ago.

In my experience it’s different, and it spread across different devices/os and browsers.
It even happens in the AppSheet app.

I have granted access to different storage between my work account and personal account and I even use one account just to give access to one personal app we use as a family to my son, and it’s showing apps that are from my work, while this account is not in the user permissions section of those apps.

I feel like someone really messed things up in the backend.

Man, this is worst than I expected, I can access as an Editor in multiple accounts of mine (tested using incognito mode) eventhough just my personal account has access

Can someone record a video reproducing this, starting from a fresh chrome profile?

SkrOYC_0-1680894417010.png1178×842 47.8 KB

That’s an app @MultiTech shared with me in my 2nd personal AppSheet account and it’s showing in my company’s AppSheet one!