cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Security issue in Idea Place notifications

Go to solution
ChrisPaine
Active Contributor

on ‎08-19-2010 2:34 AM

0 Kudos

Hello,

I've posted this as a new thread, because although I have emailed the Idea Place email address, I still haven't received any response, and I think this is an important issue.

It seems that the notifications that are sent from Idea Place when you create an Idea and someone comments on it, are sending the private email address of the commenter to the Idea submitter: e.g. the message I received a couple of days ago as Harald posted a comment on an Idea I had submitted - email address removed to (1) get around damnable filtering of this forum (2) to protect Harald's privacy.

Chris Paine,
A new comment was created on the idea Remove filters on certain fora - Comments & Suggestions and Coffee Corner:
https://ideas.sap.com/ideas/1137#comment-1137
Author : Harald Boeing
Profile: https://ideas.sap.com/people/harald @ somedomain.somedomainsuffix
Comment:
I think I just discovered why this is still beta status - I just posted a comment which disappeared, so let me try again (I hope it doesn't show up later and then it's me who looks like the idiot)...
 
... (rest of text removed as irrelevant for this post) ...

Harald's email address was clearly visible in the notification - even though he has it set to not being available in his profile.

When you go the the website it gives you an alternate link to Harald's profile on Ideas Place which uses a numeric user number - not the email address. This is what should be sent in the notification.

As I mentioned, I have sent an email with this info to the address mentioned in the website FAQ and Contacts, but no response - I thought it might get more visibility here. I've even created an Idea - https://ideas.sap.com/ideas/1149 - so you cna vote on it...

Cheers,

Chris

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎08-19-2010 6:26 AM
0 Kudos

I did see mention of a priority issue ticket relating to this a week ago, so possibly they waited (too long) to get back to you with good news.

Anyway, it is known and someone out there is working on it.

ps: If you can also post via email response (which is what some sites do) then it is worse: you change your mail address to post as others or use out-of-office notifications as DoS attack weapons.

Cheers,

Julius

Show replies
Show replies
ChrisPaine
Active Contributor
‎08-19-2010 6:41 AM
0 Kudos

Thanks Julius,

I thought I'd better raise it - as emailing out supposedly private email addresses is pretty bad - and I would imagine illegal in many countries (especially the EU where the server seems to be located...)

I'll still be waiting for an official response - so I'll not close off the thread just yet.

Cheers,

Chris

moshenaveh
Community Manager
Community Manager
‎08-19-2010 8:57 AM
0 Kudos

Hi,

Thank you for your patience.

I've reached out to one of my colleagues and hopefully you will have an answer soon.

Regards,

Moshe.

Kuhan_Milroy
Active Participant
‎08-19-2010 4:00 PM
0 Kudos

This is fixed now.

Just a note, it is different than the previous email issue identified, this fix is specific for idea place.

Thanks

Kuhan

Former Member
‎08-19-2010 4:37 PM
0 Kudos

Nice ! Thank you for a good reactivity for fixing an important problem.

Regards,

Olivier

Answers (0)

Ask a Question