Groupon Log-In Bug Offers Access to Wrong User Account

UPDATED: Groupon is investigating the case of a Seattle man who was able to log into another user’s Groupon account by using Facebook Connect. Matt Steckler, a former web developer and current Seattle tech recruiter, said he fired up his Groupon iPhone (s aapl) app yesterday to check on a deal he had bought earlier in the morning. What he found was that he was logged in as someone completely different; another “Matt” from San Francisco with a different last name.

Steckler said he had used Facebook Connect to sign into his iPhone account and didn’t notice the switched accounts until he went to check on his deal. When he tried to get into his web account from his computer, he again used Facebook to log in. But after failing a couple of times because the account was using the other user’s Facebook log-in, Steckler clicked out of the log-in screen and was still able to gain access to the other person’s account. Steckler was able to use the other user’s Groupon account and even made a couple of test purchases, which he later cancelled.

We contacted Groupon and they said they were looking into the issue. It’s unclear how many other people might be affected. It’s possible that it’s only Steckler, though he doubts that. As a former web developer, he has built two apps that utilized Facebook Connect for log-ins. He suspects that at some point in the last week or so, Groupon made some sort of change to its database so when users logged-in through Facebook Connect, the system was rewriting Facebook Connect data, user ID information and tokens with incorrect values. If true, it could be that more users are also affected if their accounts were mixed up with others.

“This is a huge deal,” said Steckler. “I love Groupon but this shouldn’t happen. I shouldn’t log in and be able to access someone else’s account.”

Steckler believes the issue showed up within the last week because he doesn’t recall seeing the other user’s information when he last used his iPhone app a week ago. He believes this is not an issue with Facebook but with the way Groupon is handling the log-in information.

I and one of my colleagues haven’t been able to recreate the issue so again, this could be very isolated. But Steckler wonders if Groupon’s fast growth may have something to do with the problem, causing sloppiness in its database. This is not the first time Groupon users have noticed log-in issues: Groupon members reported log-in problems in February with a popular Barnes & Noble (s bks) deal. I’ve seen other cases reported of users having a hard time logging into Groupon.

Groupon seems to be aware of the seriousness of the problem. Groupon’s VP of engineering, David Gourley, called Steckler this afternoon to get more information on the problem. We’ll let you know if we hear more back from Groupon. It’s still unclear how big a problem this is, but it’s still a bad lapse that shouldn’t occur for a company handling consumer financial information. Perhaps, a big IPO pay-day can pay a new database to prevent something like this from happening again.

UPDATE: Groupon’s iPhone app appeared to have temporary problems this afternoon. An error message at one point said there was a network error. “An ssl error has occurred and a secure connection to the server cannot be made.” The web site may have also experienced problems with Facebook Connect. I and a co-worker were not able to log out of Groupon on a Chrome browser after signing-in with Facebook Connect. Now it’s not clear why this has happened. But it could be that Groupon was working on its Facebook Connect log-in access, which could be affecting the iPhone app and the website.  I have again reached out to Groupon for comment.