UPDATES EasyBlog 6.0.14 Released! Joomla 5.x and PHP 8.x compatible now!

Helpdesk

Your Time
Our Time
Response Time
24 — 48 hours
We strive to provide the fastest ever response possible. However, we are not super beings.

Allow at least 24 — 48 hours
  Support is offline
It is currently off working hours and most of us aren't around

Rest assured that we will get back to you as soon as the day starts tomorrow!
It is currently a public holiday for us from where we are at.

There may be a delay in our responses but rest assured that we will be back at full speed when we are back to the office.
  Support is offline

Security Breach for Easydiscuss and Easbyblog RSS

Ysabel · ·
7:58 AM Thursday, 14 November 2013
None
Hi,

When you click "subscribe via RSS' everywhere easyblog or easydiscuss, you will be redirected to an rss page to confirm your subscription.
Then in that page I clicked view page source and it show me all the emails of my users.

This is a serious security issue. I would not want all my private users email to be visible to everyone. Anyone can gather all the emails and sell them.

So with that, I disabled the RSS everywhere I can find.

Now when the user has the correct link to the RSS link of my site, he can still access the page and take all emails. Now that blows my mind away!

Rss is set to No and the RSS link is still active. This means all easyblog and easydicuss users data like emails has been farmed since the release of your extension. I can't believe no one ever complained about this.

If you have some hidden options to remove the emails, please tell me. I've spent countless hours looking any rss options to remove the link.

To prove the security breach;

I tested a website from your case study blog Popscrap.

http://stackideas.com/blog/popscrap-blogs-the-easy-way

Screenshot: http://awesomescreenshot.com/0341yfpaaa


I also tested one popular Joomla company techjoomla.com and guess what? I can get the emails from there users as well.

Screenshot: http://awesomescreenshot.com/0701yfpn6b
The replies under this section are restricted to logged in users or users with an active subscription with us