Our QA unit found out that using the Firefox tool Tamper Data will allow someone to change the ID of someone who is updating a registration, and that will wipe out the old data of the changed ID with the new data of the registration being edited.
Example: After viewing a registrant with a key ID of 100, and attempting to update a field to a new value - Tamper Data will allow you to bring up all of the fields being sent. At this point you can enter a new key ID that already exists as another registration. So if you replace the 100 with 120 - record with key ID of 120 is now replaced with all data from record 100 edit registration screen. This means that records 100 and 120 are basically the same, and the original 120 data is lost.
We are limiting the possibility of this happening by not allowing registrants the ability to update their records from the unsecured side of the website. Only the person who is the "Created by" for the event can edit registrations when logged in to the Secure side of the website.
After researching this, the main solution to prevent it from happening is either don't send the data (not possible since it is the DB key field) or to encrypt the field.
So if possible, it would be good to prevent Tamper Data (or another tool like it) from being able to easily change a data base key ID field.
