MyBB Community Forums

MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.6 > 1.6 Bugs and Issues > Privacy violation and other issues with - Drafts
Full Version: Privacy violation and other issues with - Drafts
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

avril

2014-06-29, 03:04 PM
MyBB Version 1.6.13
PHP Version 5.5.14
SQL Engine MySQLi 5.5.37

Issue description :
Draft is 'virtually' stored on user account and as such is assumed to be private,
any knowledge about its exsistence and content should be known only to author until published.

Issue :
User drafts can be found by ModCP -> IPSearch.
While content of Draft cannot be viewed, Draft Title and Author is exposed in search results,
which is enought to assume its contents and many other things. This is violation of user's privacy.

Reproduce :
Go to ModCP -> IP Search -> input IP (of user who have drafts) -> Press Find Button

Starpaul20

2014-06-29, 04:09 PM
Don't know if I'd call this a privacy violation but it is a bug nonetheless.

Starpaul20

2014-06-29, 04:09 PM
Hi,

Thank you for your report. We have pushed this issue to our Github repository for further analysis where you can track our commits and progress with fixing this bug. Discussions regarding this bug may also take place there too.

Follow this link to visit the issue on Github: https://github.com/mybb/mybb/issues/819

Thanks for contributing to MyBB!

Regards,
The MyBB Group

Diogo Parrinha

2014-06-30, 11:04 AM
(2014-06-29, 03:04 PM)avril Wrote: [ -> ]MyBB Version 1.6.13
PHP Version 5.5.14
SQL Engine MySQLi 5.5.37

Issue description :
Draft is 'virtually' stored on user account and as such is assumed to be private,
any knowledge about its exsistence and content should be known only to author until published.

Issue :
User drafts can be found by ModCP -> IPSearch.
While content of Draft cannot be viewed, Draft Title and Author is exposed in search results,
which is enought to assume its contents and many other things. This is violation of user's privacy.

Reproduce :
Go to ModCP -> IP Search -> input IP (of user who have drafts) -> Press Find Button

While this may be considered a bug, this is not a privacy violation. It doesn't say anywhere the draft is private, therefore you can't assume it is.

JordanMussi

2014-06-30, 03:58 PM
(2014-06-30, 11:04 AM)Pirata Nervo Wrote: [ -> ]
(2014-06-29, 03:04 PM)avril Wrote: [ -> ]MyBB Version 1.6.13
PHP Version 5.5.14
SQL Engine MySQLi 5.5.37

Issue description :
Draft is 'virtually' stored on user account and as such is assumed to be private,
any knowledge about its exsistence and content should be known only to author until published.

Issue :
User drafts can be found by ModCP -> IPSearch.
While content of Draft cannot be viewed, Draft Title and Author is exposed in search results,
which is enought to assume its contents and many other things. This is violation of user's privacy.

Reproduce :
Go to ModCP -> IP Search -> input IP (of user who have drafts) -> Press Find Button

While this may be considered a bug, this is not a privacy violation. It doesn't say anywhere the draft is private, therefore you can't assume it is.

The trouble is that Private Messages have that title but can be viewed by the administrator in the database...

Diogo Parrinha

2014-06-30, 05:30 PM
So is this about post/thread drafts or PM drafts?

StefanT

2014-06-30, 05:44 PM
This is a ticket for MyBB 1.6 which doesn't store IPs for PMs... Wink

Rymax99

2014-07-09, 10:30 PM
(2014-06-30, 03:58 PM)JordanMussi Wrote: [ -> ]
(2014-06-30, 11:04 AM)Pirata Nervo Wrote: [ -> ]
(2014-06-29, 03:04 PM)avril Wrote: [ -> ]MyBB Version 1.6.13
PHP Version 5.5.14
SQL Engine MySQLi 5.5.37

Issue description :
Draft is 'virtually' stored on user account and as such is assumed to be private,
any knowledge about its exsistence and content should be known only to author until published.

Issue :
User drafts can be found by ModCP -> IPSearch.
While content of Draft cannot be viewed, Draft Title and Author is exposed in search results,
which is enought to assume its contents and many other things. This is violation of user's privacy.

Reproduce :
Go to ModCP -> IP Search -> input IP (of user who have drafts) -> Press Find Button

While this may be considered a bug, this is not a privacy violation. It doesn't say anywhere the draft is private, therefore you can't assume it is.

The trouble is that Private Messages have that title but can be viewed by the administrator in the database...

They are to a point I suppose, it's private on the front-end to only the user they're PMing and them. In my opinion, users shouldn't have a good expectation of privacy on the majority of forums and should be sure they don't transmit any information that they wouldn't want the general public or a malicious user to see - that includes using different passwords, taking private chats off site, etc.
MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.6 > 1.6 Bugs and Issues > Privacy violation and other issues with - Drafts