Last read can be changed by sending this Report_UpdateLastRead with user account number - Reported by @K4tsuki

[mvtglobally]

If you haven’t already, check out our contributing guidelines for onboarding and email contributors@expensify.com to request to join our Slack channel!

---

Action Performed:

1. Open app
2. Send API request Report_UpdateLastRead for Account A (left window), on Account B room using Account B credential.
   & Change sequence number, Account A email and account number

Expected Result:

User should not be able to change read unread messages bypassing login

Actual Result:

When opening Expensify on new tab, you have unread messages on that room because of the Api request.

Workaround:

Unknown

Platform:

Where is this issue occurring?

• Web

Version Number: 1.1.23-0
Reproducible in staging?:
Reproducible in production?:
Logs: https://stackoverflow.com/c/expensify/questions/4856
Notes/Photos/Videos: Any additional supporting documentation

lastRead_c.mp4

Expensify/Expensify Issue URL:
Issue reported by: @K4tsuki
Slack conversation: https://expensify.slack.com/archives/C01GTK53T8Q/p1640135067456000

View all open jobs on GitHub

[MelvinBot]

Triggered auto assignment to @deetergp (Engineering), see https://stackoverflow.com/c/expensify/questions/4319 for more details.

[chiragsalian]

Discussed with scott and taking over this issue 🙂

[chiragsalian]

Demoting since its not a severe bug and its not something users are actively exploiting.

[MelvinBot]

Triggered auto assignment to @mallenexpensify (Internal)