Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[Pushed] Privacy violation and other issues with - Drafts
#1
MyBB Version 1.6.13
PHP Version 5.5.14
SQL Engine MySQLi 5.5.37

Issue description :
Draft is 'virtually' stored on user account and as such is assumed to be private,
any knowledge about its exsistence and content should be known only to author until published.

Issue :
User drafts can be found by ModCP -> IPSearch.
While content of Draft cannot be viewed, Draft Title and Author is exposed in search results,
which is enought to assume its contents and many other things. This is violation of user's privacy.

Reproduce :
Go to ModCP -> IP Search -> input IP (of user who have drafts) -> Press Find Button
#2
Don't know if I'd call this a privacy violation but it is a bug nonetheless.
My GitHub | Galaxies Realm

Please do not PM me for support; use the forum instead
#3
Hi,

Thank you for your report. We have pushed this issue to our Github repository for further analysis where you can track our commits and progress with fixing this bug. Discussions regarding this bug may also take place there too.

Follow this link to visit the issue on Github: https://github.com/mybb/mybb/issues/819

Thanks for contributing to MyBB!

Regards,
The MyBB Group
My GitHub | Galaxies Realm

Please do not PM me for support; use the forum instead
#4
(2014-06-29, 03:04 PM)avril Wrote: MyBB Version 1.6.13
PHP Version 5.5.14
SQL Engine MySQLi 5.5.37

Issue description :
Draft is 'virtually' stored on user account and as such is assumed to be private,
any knowledge about its exsistence and content should be known only to author until published.

Issue :
User drafts can be found by ModCP -> IPSearch.
While content of Draft cannot be viewed, Draft Title and Author is exposed in search results,
which is enought to assume its contents and many other things. This is violation of user's privacy.

Reproduce :
Go to ModCP -> IP Search -> input IP (of user who have drafts) -> Press Find Button

While this may be considered a bug, this is not a privacy violation. It doesn't say anywhere the draft is private, therefore you can't assume it is.
All my plugins are available for free at MyBB Extend and on my GitHub. MyBB-Plugins.com has been closed and none of my plugins are officially maintained or supported.
#5
(2014-06-30, 11:04 AM)Pirata Nervo Wrote:
(2014-06-29, 03:04 PM)avril Wrote: MyBB Version 1.6.13
PHP Version 5.5.14
SQL Engine MySQLi 5.5.37

Issue description :
Draft is 'virtually' stored on user account and as such is assumed to be private,
any knowledge about its exsistence and content should be known only to author until published.

Issue :
User drafts can be found by ModCP -> IPSearch.
While content of Draft cannot be viewed, Draft Title and Author is exposed in search results,
which is enought to assume its contents and many other things. This is violation of user's privacy.

Reproduce :
Go to ModCP -> IP Search -> input IP (of user who have drafts) -> Press Find Button

While this may be considered a bug, this is not a privacy violation. It doesn't say anywhere the draft is private, therefore you can't assume it is.

The trouble is that Private Messages have that title but can be viewed by the administrator in the database...
#6
So is this about post/thread drafts or PM drafts?
All my plugins are available for free at MyBB Extend and on my GitHub. MyBB-Plugins.com has been closed and none of my plugins are officially maintained or supported.
#7
This is a ticket for MyBB 1.6 which doesn't store IPs for PMs... Wink
[Image: banner.png]
#8
(2014-06-30, 03:58 PM)JordanMussi Wrote:
(2014-06-30, 11:04 AM)Pirata Nervo Wrote:
(2014-06-29, 03:04 PM)avril Wrote: MyBB Version 1.6.13
PHP Version 5.5.14
SQL Engine MySQLi 5.5.37

Issue description :
Draft is 'virtually' stored on user account and as such is assumed to be private,
any knowledge about its exsistence and content should be known only to author until published.

Issue :
User drafts can be found by ModCP -> IPSearch.
While content of Draft cannot be viewed, Draft Title and Author is exposed in search results,
which is enought to assume its contents and many other things. This is violation of user's privacy.

Reproduce :
Go to ModCP -> IP Search -> input IP (of user who have drafts) -> Press Find Button

While this may be considered a bug, this is not a privacy violation. It doesn't say anywhere the draft is private, therefore you can't assume it is.

The trouble is that Private Messages have that title but can be viewed by the administrator in the database...

They are to a point I suppose, it's private on the front-end to only the user they're PMing and them. In my opinion, users shouldn't have a good expectation of privacy on the majority of forums and should be sure they don't transmit any information that they wouldn't want the general public or a malicious user to see - that includes using different passwords, taking private chats off site, etc.


Forum Jump:


Users browsing this thread: 1 Guest(s)