By Ysabel on Thursday, 14 November 2013
Posted in General Issues
Replies 1
Likes 0
Views 0.9K
Votes 0
Hi,

When you click "subscribe via RSS' everywhere easyblog or easydiscuss, you will be redirected to an rss page to confirm your subscription.
Then in that page I clicked view page source and it show me all the emails of my users.

This is a serious security issue. I would not want all my private users email to be visible to everyone. Anyone can gather all the emails and sell them.

So with that, I disabled the RSS everywhere I can find.

Now when the user has the correct link to the RSS link of my site, he can still access the page and take all emails. Now that blows my mind away!

Rss is set to No and the RSS link is still active. This means all easyblog and easydicuss users data like emails has been farmed since the release of your extension. I can't believe no one ever complained about this.

If you have some hidden options to remove the emails, please tell me. I've spent countless hours looking any rss options to remove the link.

To prove the security breach;

I tested a website from your case study blog Popscrap.

http://stackideas.com/blog/popscrap-blogs-the-easy-way

Screenshot: http://awesomescreenshot.com/0341yfpaaa


I also tested one popular Joomla company techjoomla.com and guess what? I can get the emails from there users as well.

Screenshot: http://awesomescreenshot.com/0701yfpn6b
Hello Ysabel,

This isn't actually a security breach because you can configure this under your Joomla Global Configuration area as you can see from my screen shot here, http://screencast.com/t/S58nvocH5Vf
·
Thursday, 14 November 2013 11:20
·
0 Likes
·
0 Votes
·
0 Comments
·
View Full Post