"Hello, my name is maymay. I'm a blogger writing at maybemaimed.com. I'd like to show you a privacy concern I have with FetLife.com that would let practically anyone hijack your FetLife account.

On the left side of the screen, you can see I've got a Google Chrome web browser window open. Now, on the right side of the screen, I'm going to open a connection to another computer of mine. And I'm going to launch the Firefox web browser.

On that remote computer, I'm going to go ahead and log in to FetLife using a test account that I set up called fetfails.

As you may know, when you log in to a website like FetLife, it typically gives you some cookies. Here I'm using the free Firebug extension for Firefox to have a look at the cookies.

In FetLife's case, you're given one cookie called _FetLife_session which it uses to identify you. It gives you some others, but that's the only one we care about. This single "session cookie" functions like a key to your FetLife account as it's the only thing you (or anyone else) needs to make FetLife believe that you are who you said you were when you logged in. I'm going to make a note of it here in this text editor.

Now, over in my Chrome window here, you can see that I'm very much logged out of FetLife.

So what I'm going to do is logout of FetLife, and doing this SHOULD invalidate that session cookie; it should make that particular session go away so that no one can use it again.

But what I'm going to do is go into my cookie editor in Chrome (this is a free extension called Edit This Cookie), and I'm going to paste in the session from before, the one that I expect to be invalid from the remote computer, and I'm just going to hit the home page again.

And, as you can see, I'm very much logged INTO FetLife on the fetfails account. Since FetLife never asks me for fetfails's password again, I can do anything I want on this account, including changing the password.

So, what this shows is that if some malicious user watches you so much as load a FetLife.com webpage while you're logged in just one time, they can use the cookie they saw you use to pretend to be you on FetLife.

I think FetLife should address this issue as soon as they can. One important thing they can do is, for example, ask you to provide your password when you take certain actions. Obviously, they should at least do this when someone wants to change your account's password.

You can learn more about this on my blog post about the issue at maybemaimed.com. Thanks for watching and for raising the issue to FetLife to help secure our fellow FetLife users.