Not a bug User account details disclosure

Karelke

Karelke

Well-known member
Affected version
2.1.7
During a security audit, a potential privacy issue has been discovered:

To view this content we will need your consent to set third party cookies.
For more detailed information, see our cookies page.

Can you guys confirmed this? Is it as intended?
 
For future reference if you believe there to be a privacy/security leak it may be better to contact us privately by submitting a ticket from your customer area.

However, on this occasion, I'm not exactly understanding what you're reporting.

To clarify the main thing; there seems to be some element here of going directly to a user's tooltip URL which is, for example:
https://xenforo.com/community/members/chris-d.11388/tooltip

That doesn't change any behaviour in itself. You can see the user's tooltip any time by hovering over the user's name or avatar and only the most basic user profile information is displayed there.

There seems to be another aspect to your report which seems to be related to the ability to follow a user.

These are the privacy settings for the user from the video:
1589383575279.png

Notably the actual software privacy settings are different from the video:

1589383612192.png

I'm assuming you have profile posts disabled and I'm assuming you have the news feed disabled so the only entries I'd expect to see here by default are:
  • View your details
  • Start conversations
  • View your identities
All that being said, I do not know what "Allow users ... You follow: Never" means or where the "You follow" option comes from. Is it an add-on? Is it designed so that a user can control who is allowed to follow them or not?

If so and that's what the report is about I think you need to report the issue there as it is not default functionality in the software.
 
Last edited:
Chris D said:
For future reference if you believe there to be a privacy/security leak it may be better to contact us privately by submitting a ticket from your customer area.
Click to expand...

Apologies, I will keep that in mind.

Chris D said:
profile posts disabled
Click to expand...

Correct.

Chris D said:
news feed disabled
Click to expand...

That would be the "follow me" option.

Chris D said:
All that being said, I do not know what "Allow users ... You follow => Never" means or where the "You follow" option comes from. Is it an add-on? Is it designed so that a user can control who is allowed to follow them or not?
Click to expand...

Our website is in Dutch. The reporter who performed the audit translated the website with his browser, and some Dutch words have been translated wronly.
 
Ok. In that case, I'm not exactly sure what the bug that is being reported is.

Nothing shown in the video relates to those privacy options, or demonstrates any information being leaked.
 

Similar threads

GameNet
[NICK97] Custom Account Details - XF2
Replies
4
Views
217
GameNet
GameNet
N
  • Question Question
XF 2.2 "Your full account details are not currently editable."
Replies
0
Views
163
Newsman
N
jromaine
  • Question Question
XF 2.2 How to add custom navigation within account details?
Replies
3
Views
348
jromaine
jromaine
A
  • Question Question
XF 2.2 User account upgrade not working
Replies
0
Views
29
aliahmadca
A
PaulB
PSA: ImageMagick information disclosure vulnerability CVE-2022-44268
Replies
13
Views
2K
Chris D
Chris D
Back
Top Bottom