Fixed Possible location bug when profile set to private

[Kirby]

Scenario
I've registered an account with my realname as username, so my profile URL looks like members/firstname-lastname.1 and I've also entered my location into the location profile field.
To keep privacy, I've only ollwed members I do follow to view my profile.
Now if such a member visits my profile and clicks ony my location, he gets redirected to Google Maps with the searchbox prefilled with the value from the profilefield.

So this discloses my location to Google Maps which is somewhat unexpected - I did not allow guests to view my profile.
If the browser of that member also passes the referrer URL, Google can even link my location to my realname.

I therefore suggest to either

• Remove that link (if the profile is not publically viewable)
• Document that functionality in the privacy policy and ideally anchor-link from the description of the location field on edit so I can make an informed decision wether or not I want to provide my location
• Use an intermediate page with meta refresh instead of a header redirect to block transmitting the original referrer

 

[S Thomas]

So this discloses my location to Google Maps which is somewhat unexpected - I did not allow guests to view my profile.

That's really not unexpected.

 

[Slavik]

That may be a minor details leak, possibly a bug there if a profile is supposed to be private.

Though as above, just change the link / use a no-ref service URL.

 

[Kirby]

That may be a minor details leak

... that may cost the forum owner up to 20.000.000 €

That's really not unexpected.

For the admin - probably not, but for the user who doesn't know anything about this setting/feature?
Probably yes.

 

[S Thomas]

Really? Stating that external links are out of your control still is punishable? That sounds pretty unreasonable, but oh well, it would fit the GDPR.
Something like this: http://www.bbc.co.uk/help/web/links/
which is implemented here: https://xenforo.com/privacy-policy/
under Links to other websites

 

[Kirby]

There doesn't seem to be anything in the linked privacy policy that tells me that my browser might disclose the real name of a user to a 3rd party website if I click on the location link in the users profile.

 

[Slavik]

... that may cost the forum owner up to 20.000.000 €

Stop with the dramatics please. Nobody is going to get fined 20 million euros for this. If the devs deem it as a profile bug they will fix it, otherwise alternative solutions have already been posted here.

 

[HotRodCarts]

lol

 

[Kirby]

Nobody is going to get fined 20 million euros for this.

Do you personally guarantee that? That's great news and makes me sleep better.
Jokes aside, nobody can guarantee that nobody is going to be fined 20 million euros for this, although it is very very very unlikely to hapen.

 

[Ozzy47]

I would say that it is a slight issue.

 

[webbouk]

Perhaps a disclaimer is required upon registration such as: "if you don't want anyone to know your personal details don't post them"

It's either that or to shut your sites down so you could get a good night's sleep.

I'd love to know what your were doing 1 minute to midnight on the 31st December 1999 a minute before the millennium bug was going to wipe out humanity

 

[Kirby]

I prayed.

 

[Chris D]

Two things for the next release here:

1) You can now remove the geoLocationUrl value entirely so the location is no longer displayed as a link.
2) If it is displayed as a link, we use rel="nofollow noreferrer" to ensure the referrer is not passed.

 

[Kirby]

Great, a few more template modifictions and class extensions that will be unneccesary in the future