Session IDs and Anonymous Surveys

My company is using a consulting firm to run a survey on employee engagement. The survey is supposedly anonymous and only aggregate data is viewed.
When I went to take the survey, I noticed that the URL was https://www.%externalvender%.com/Base/Custom/%company%/survey.asp?Survey=42&UserSessionid=23419&l=1
Being a security professional, I opened another window and started decrementing the UserSessionID in the URL. Sure enough, I began seeing other employees responses. Even in an anonymous response this should not happen. Users are prompted to supply their division, location, age (optional), length of tenure (option) and ethnicity (optional). If the optionals are supplied it shouldn’t be hard to figure out who filled in the responses. Users shouldn’t be able to see other users responses.
The URL is HTTPS so I figured it wasn’t a caching issue on our end, but just to be sure I reproduced the results from an external computer.
So what lessons can be learned here? First, dont use a predictable session ID (in this case it was sequential). I’m not a web security guy, but I’m thinking a cookie could be used also to prevent this session browsing as well.
update– This problem was reported to the vendor when I discovered it. They found that it was caused by a recent update. The removed the update.

2 Comments

  1. Wowww. That is bad. Yeah, they should be putting in a unguessable, non-incremental session ID in the URL. But then again, it probably doesn’t give a respondent a warm fuzzy feeling about anonymity if they are invited to a link with a specific user or session ID in it. An exception might be if the survey is hosted by a 3rd party company, like anonymous-surveys.com that has a privacy policy statement that it doesn’t reveal the personally identifying information to the survey creator in the survey results. They also do paid “anonymous” online surveys with anonymous payments which is quite unique–and nice for those of us more security and privacy minded.

  2. Wowww. That is bad. Yeah, they should be putting in an unguessable, non-incremental session ID in the URL. But then again, it probably doesn’t give a respondent a warm fuzzy feeling about anonymity if they are invited to a link with a specific user or session ID in it. An exception might be if the survey is hosted by a 3rd party company, like anonymous-surveys.com that has a privacy policy statement that it doesn’t reveal the personally identifying information to the survey creator in the survey results. They also do paid “anonymous” online surveys with anonymous payments which is quite unique–and nice for those of us more security and privacy minded.

Comments are closed.