Thanks for expressing your concerns in this thread, Artem. Let me clarify some of the points mentioned here:
ARTEM SEDOV wrote:
What this means is that a site staff member can pretend to be me and do things like financial operations on my behalf.
Please note that site staff members have at their disposal a mechanism that allows them to simulate what a user can or cannot do in the site. This feature is particularly effective for troubleshooting but it does not allow staff members to access any private financial data or perform any financial operation. Remember that ProZ.com uses third-party processors for payments. This means that the site does not store credit card or other payment information, and has no access to this data.
I understand that they wanted to help me probably, but I never heard of any web-site staff having direct access to users' login data and being able to substitute themselves instead of the users
As for login information, ProZ.com stores passwords in encrypted form and therefore they are not human-readable (not even by site staff members).
This is very concerning, I think this as a serious security and privacy flaw at proz.com.
And as such I wanted to notify other users regarding this.
There is no privacy flaw in the reply you received to your support request or in the actions performed by the support provider dealing with the issue you reported. What staff did in this case was to follow the steps you had followed to submit your payment to see if there was some problem with the online payment system at ProZ.com. No issue could be reproduced and the staff member confirmed that following the correct steps should lead no further than to 2Checkout's homepage (once there, it is up to you to move forward with your payment).
If they can pretend to be a different person, their user in this case, this means they can do many unpleasant things actually as proz.com has financial features like "wallet" for instance.
What if they log in as a random user and withdraw funds to their own account from the user's wallet? Would it matter in this case if they saw the passwords? How would the user proof he or she did not do this?
Or someone could "revenge" a user or other persons by doing something on the user behalf, say posting message threads or something unpleasant at the site.
The opportunity to login and pretend to be a different person is actually rather tempting.
Hope this clarifies.