1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

XenForo support tickets : anyone can read a ticket via GET method

Discussion in 'General XenForo Discussion and Feedback' started by allewreK, Oct 16, 2013.

  1. allewreK

    allewreK Active Member


    I've just checked, and anyone can read a xenforo support ticket by finding a link (you can find that link at the bottom of a support email).


    I think it's quite dangerous. With that link, anyone can reply, even guests without being logged in (and read the convo).

    I know it's as designed, so the member can reply quickly with his cellphone as an example, but am I the only one who think it's dangerous for privacy ?

  2. Mike

    Mike XenForo Developer Staff Member

    The ticket does not include an integer identifier and includes an extra validation key in a non predictable fashion. If you have the link, yes you can read it but there's no way to get the link except via the email (or a ticket history in the customer area).
    DRE, Shyuan and Amaury like this.
  3. Mike

    Mike XenForo Developer Staff Member

    I should also note that the "sensitive data" box prevents data from being displayed back in the ticket (it's only available to us). Additionally, after a ticket has been closed for a period of time, said sensitive data is removed from the database.
    Walter, Shyuan and Amaury like this.
  4. Shelley

    Shelley Well-Known Member

    Shouldn't the whole ticket be classed as sensitive data?

    @Mike - Who on your staff has Ticket support access can you please provide a list?
  5. oman

    oman Well-Known Member

    Shelley, I believe the following have ticket access:
    • Kier
    • Mike
    • Ashley
    • Slavik
    • Jake Bunce
    I know Jeremy doesn't because I asked him. Don't think Brogan does either.
    Shelley likes this.
  6. Shelley

    Shelley Well-Known Member

    Thanks oman. I knew those from your list had access and wondering more if that list has increased.
  7. oman

    oman Well-Known Member

    Maybe things have changed. @Mike would definitely be able to clarify that though.
  8. Jeremy

    Jeremy Well-Known Member

    You did?

    But to answer your question, @Shelley, those 5 are the only ones with access to tickets (in addition to you have access to your own).
  9. oman

    oman Well-Known Member

  10. Shelley

    Shelley Well-Known Member

    The question was directed to Mike (it's a simple enough question) which he can either reply to or not. Until he confirms that then my question is still a standing one, question whether the list has changed or not or if additional people have been added to support ticket access.

  11. DRE

    DRE Well-Known Member

    Always wondered about how that works. I've seen the type of ticket system used here on other sites like some of my previous hosts for instance.
  12. Mike

    Mike XenForo Developer Staff Member

    If you want to put all the data into the sensitive data box, you're welcome to. Obviously you wouldn't have a record of your side of the conversation then.

    The list of people has already been given and confirmed by a staff member. Access and personnel may change over time as you'd expect for any company.
  13. Shelley

    Shelley Well-Known Member

    That's not necessarily a bad thing on my part, I guess I don't have to view my complaining support tickets.

    I understand that the list was given but my question was directed for you Mike, not Jeremy. Thanks for taking 2 minutes out of your day though to reply.

Share This Page