Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[Pushed] Privacy violation and other issues with - Drafts
(2014-06-30, 03:58 PM)JordanMussi Wrote:
(2014-06-30, 11:04 AM)Pirata Nervo Wrote:
(2014-06-29, 03:04 PM)avril Wrote: MyBB Version 1.6.13
PHP Version 5.5.14
SQL Engine MySQLi 5.5.37

Issue description :
Draft is 'virtually' stored on user account and as such is assumed to be private,
any knowledge about its exsistence and content should be known only to author until published.

Issue :
User drafts can be found by ModCP -> IPSearch.
While content of Draft cannot be viewed, Draft Title and Author is exposed in search results,
which is enought to assume its contents and many other things. This is violation of user's privacy.

Reproduce :
Go to ModCP -> IP Search -> input IP (of user who have drafts) -> Press Find Button

While this may be considered a bug, this is not a privacy violation. It doesn't say anywhere the draft is private, therefore you can't assume it is.

The trouble is that Private Messages have that title but can be viewed by the administrator in the database...

They are to a point I suppose, it's private on the front-end to only the user they're PMing and them. In my opinion, users shouldn't have a good expectation of privacy on the majority of forums and should be sure they don't transmit any information that they wouldn't want the general public or a malicious user to see - that includes using different passwords, taking private chats off site, etc.

Messages In This Thread
RE: Privacy violation and other issues with - Drafts - by Rymax99 - 2014-07-09, 10:30 PM

Forum Jump:

Users browsing this thread: 1 Guest(s)