MyBB Community Forums
[Pushed] Privacy violation and other issues with - Drafts - Printable Version

+- MyBB Community Forums (https://community.mybb.com)
+-- Forum: Community Archive (https://community.mybb.com/forum-106.html)
+--- Forum: Archived Forums (https://community.mybb.com/forum-143.html)
+---- Forum: Archived Development and Support (https://community.mybb.com/forum-155.html)
+----- Forum: MyBB 1.6 (https://community.mybb.com/forum-138.html)
+------ Forum: 1.6 Bugs and Issues (https://community.mybb.com/forum-126.html)
+------ Thread: [Pushed] Privacy violation and other issues with - Drafts (/thread-155404.html)



Privacy violation and other issues with - Drafts - avril - 2014-06-29

MyBB Version 1.6.13
PHP Version 5.5.14
SQL Engine MySQLi 5.5.37

Issue description :
Draft is 'virtually' stored on user account and as such is assumed to be private,
any knowledge about its exsistence and content should be known only to author until published.

Issue :
User drafts can be found by ModCP -> IPSearch.
While content of Draft cannot be viewed, Draft Title and Author is exposed in search results,
which is enought to assume its contents and many other things. This is violation of user's privacy.

Reproduce :
Go to ModCP -> IP Search -> input IP (of user who have drafts) -> Press Find Button


RE: Privacy violation and other issues with - Drafts - Starpaul20 - 2014-06-29

Don't know if I'd call this a privacy violation but it is a bug nonetheless.


RE: Privacy violation and other issues with - Drafts - Starpaul20 - 2014-06-29

Hi,

Thank you for your report. We have pushed this issue to our Github repository for further analysis where you can track our commits and progress with fixing this bug. Discussions regarding this bug may also take place there too.

Follow this link to visit the issue on Github: https://github.com/mybb/mybb/issues/819

Thanks for contributing to MyBB!

Regards,
The MyBB Group


RE: Privacy violation and other issues with - Drafts - Diogo Parrinha - 2014-06-30

(2014-06-29, 03:04 PM)avril Wrote: MyBB Version 1.6.13
PHP Version 5.5.14
SQL Engine MySQLi 5.5.37

Issue description :
Draft is 'virtually' stored on user account and as such is assumed to be private,
any knowledge about its exsistence and content should be known only to author until published.

Issue :
User drafts can be found by ModCP -> IPSearch.
While content of Draft cannot be viewed, Draft Title and Author is exposed in search results,
which is enought to assume its contents and many other things. This is violation of user's privacy.

Reproduce :
Go to ModCP -> IP Search -> input IP (of user who have drafts) -> Press Find Button

While this may be considered a bug, this is not a privacy violation. It doesn't say anywhere the draft is private, therefore you can't assume it is.


RE: Privacy violation and other issues with - Drafts - JordanMussi - 2014-06-30

(2014-06-30, 11:04 AM)Pirata Nervo Wrote:
(2014-06-29, 03:04 PM)avril Wrote: MyBB Version 1.6.13
PHP Version 5.5.14
SQL Engine MySQLi 5.5.37

Issue description :
Draft is 'virtually' stored on user account and as such is assumed to be private,
any knowledge about its exsistence and content should be known only to author until published.

Issue :
User drafts can be found by ModCP -> IPSearch.
While content of Draft cannot be viewed, Draft Title and Author is exposed in search results,
which is enought to assume its contents and many other things. This is violation of user's privacy.

Reproduce :
Go to ModCP -> IP Search -> input IP (of user who have drafts) -> Press Find Button

While this may be considered a bug, this is not a privacy violation. It doesn't say anywhere the draft is private, therefore you can't assume it is.

The trouble is that Private Messages have that title but can be viewed by the administrator in the database...


RE: Privacy violation and other issues with - Drafts - Diogo Parrinha - 2014-06-30

So is this about post/thread drafts or PM drafts?


RE: Privacy violation and other issues with - Drafts - StefanT - 2014-06-30

This is a ticket for MyBB 1.6 which doesn't store IPs for PMs... Wink


RE: Privacy violation and other issues with - Drafts - Rymax99 - 2014-07-09

(2014-06-30, 03:58 PM)JordanMussi Wrote:
(2014-06-30, 11:04 AM)Pirata Nervo Wrote:
(2014-06-29, 03:04 PM)avril Wrote: MyBB Version 1.6.13
PHP Version 5.5.14
SQL Engine MySQLi 5.5.37

Issue description :
Draft is 'virtually' stored on user account and as such is assumed to be private,
any knowledge about its exsistence and content should be known only to author until published.

Issue :
User drafts can be found by ModCP -> IPSearch.
While content of Draft cannot be viewed, Draft Title and Author is exposed in search results,
which is enought to assume its contents and many other things. This is violation of user's privacy.

Reproduce :
Go to ModCP -> IP Search -> input IP (of user who have drafts) -> Press Find Button

While this may be considered a bug, this is not a privacy violation. It doesn't say anywhere the draft is private, therefore you can't assume it is.

The trouble is that Private Messages have that title but can be viewed by the administrator in the database...

They are to a point I suppose, it's private on the front-end to only the user they're PMing and them. In my opinion, users shouldn't have a good expectation of privacy on the majority of forums and should be sure they don't transmit any information that they wouldn't want the general public or a malicious user to see - that includes using different passwords, taking private chats off site, etc.