Response Time
24 — 48 hours
Hi,
When you click "subscribe via RSS' everywhere easyblog or easydiscuss, you will be redirected to an rss page to confirm your subscription.
Then in that page I clicked view page source and it show me all the emails of my users.
This is a serious security issue. I would not want all my private users email to be visible to everyone. Anyone can gather all the emails and sell them.
So with that, I disabled the RSS everywhere I can find.
Now when the user has the correct link to the RSS link of my site, he can still access the page and take all emails. Now that blows my mind away!
Rss is set to No and the RSS link is still active. This means all easyblog and easydicuss users data like emails has been farmed since the release of your extension. I can't believe no one ever complained about this.
If you have some hidden options to remove the emails, please tell me. I've spent countless hours looking any rss options to remove the link.
To prove the security breach;
I tested a website from your case study blog Popscrap.
http://stackideas.com/blog/popscrap-blogs-the-easy-way
Screenshot: http://awesomescreenshot.com/0341yfpaaa
I also tested one popular Joomla company techjoomla.com and guess what? I can get the emails from there users as well.
Screenshot: http://awesomescreenshot.com/0701yfpn6b
When you click "subscribe via RSS' everywhere easyblog or easydiscuss, you will be redirected to an rss page to confirm your subscription.
Then in that page I clicked view page source and it show me all the emails of my users.
This is a serious security issue. I would not want all my private users email to be visible to everyone. Anyone can gather all the emails and sell them.
So with that, I disabled the RSS everywhere I can find.
Now when the user has the correct link to the RSS link of my site, he can still access the page and take all emails. Now that blows my mind away!
Rss is set to No and the RSS link is still active. This means all easyblog and easydicuss users data like emails has been farmed since the release of your extension. I can't believe no one ever complained about this.
If you have some hidden options to remove the emails, please tell me. I've spent countless hours looking any rss options to remove the link.
To prove the security breach;
I tested a website from your case study blog Popscrap.
http://stackideas.com/blog/popscrap-blogs-the-easy-way
Screenshot: http://awesomescreenshot.com/0341yfpaaa
I also tested one popular Joomla company techjoomla.com and guess what? I can get the emails from there users as well.
Screenshot: http://awesomescreenshot.com/0701yfpn6b
1 Replies
The replies under this section are restricted to logged in users or users with an active subscription with us
