XenForo support tickets : anyone can read a ticket via GET method

Jean-Baptiste · Oct 16, 2013

Hello,

I've just checked, and anyone can read a xenforo support ticket by finding a link (you can find that link at the bottom of a support email).

https://xenforo.com/tickets/XXXXXXX/?v=XXXXXXXX

I think it's quite dangerous. With that link, anyone can reply, even guests without being logged in (and read the convo).

I know it's as designed, so the member can reply quickly with his cellphone as an example, but am I the only one who think it's dangerous for privacy ?

Regards.

Mike · Oct 16, 2013

The ticket does not include an integer identifier and includes an extra validation key in a non predictable fashion. If you have the link, yes you can read it but there's no way to get the link except via the email (or a ticket history in the customer area).

Mike · Oct 16, 2013

I should also note that the "sensitive data" box prevents data from being displayed back in the ticket (it's only available to us). Additionally, after a ticket has been closed for a period of time, said sensitive data is removed from the database.

Shelley · Oct 17, 2013

Shouldn't the whole ticket be classed as sensitive data?

@Mike - Who on your staff has Ticket support access can you please provide a list?

oman · Oct 17, 2013

Shelley said:
Shouldn't the whole ticket be classed as sensitive data?

@Mike - Who on your staff has Ticket support access can you please provide a list?

Shelley, I believe the following have ticket access:

Kier
Mike
Ashley
Slavik
Jake Bunce

I know Jeremy doesn't because I asked him. Don't think Brogan does either.

Shelley · Oct 17, 2013

oman said:
Shelley, I believe the following have ticket access:

Kier

Mike

Ashley

Slavik

Jake Bunce

I know Jeremy doesn't because I asked him. Don't think Brogan does either.

Thanks oman. I knew those from your list had access and wondering more if that list has increased.

oman · Oct 17, 2013

Shelley said:
Thanks oman. I knew those from your list had access and wondering more if that list has increased.

Maybe things have changed. @Mike would definitely be able to clarify that though.

Jeremy · Oct 17, 2013

oman said:
Shelley, I believe the following have ticket access:

Kier

Mike

Ashley

Slavik

Jake Bunce

I know Jeremy doesn't because I asked him. Don't think Brogan does either.

You did?

But to answer your question, @Shelley, those 5 are the only ones with access to tickets (in addition to you have access to your own).

oman · Oct 17, 2013

Jeremy said:
You did?

But to answer your question, @Shelley, those 5 are the only ones with access to tickets (in addition to you have access to your own).

Yeah.

Shelley · Oct 17, 2013

Jeremy said:
You did?

But to answer your question, @Shelley, those 5 are the only ones with access to tickets (in addition to you have access to your own).

The question was directed to Mike (it's a simple enough question) which he can either reply to or not. Until he confirms that then my question is still a standing one, question whether the list has changed or not or if additional people have been added to support ticket access.

Edit

DRE · Oct 17, 2013

Mike said:
The ticket does not include an integer identifier and includes an extra validation key in a non predictable fashion. If you have the link, yes you can read it but there's no way to get the link except via the email (or a ticket history in the customer area).

Always wondered about how that works. I've seen the type of ticket system used here on other sites like some of my previous hosts for instance.

Mike · Oct 17, 2013

Shelley said:
Shouldn't the whole ticket be classed as sensitive data?

@Mike - Who on your staff has Ticket support access can you please provide a list?

If you want to put all the data into the sensitive data box, you're welcome to. Obviously you wouldn't have a record of your side of the conversation then.

The list of people has already been given and confirmed by a staff member. Access and personnel may change over time as you'd expect for any company.

Shelley · Oct 17, 2013

Mike said:
If you want to put all the data into the sensitive data box, you're welcome to. Obviously you wouldn't have a record of your side of the conversation then.

The list of people has already been given and confirmed by a staff member. Access and personnel may change over time as you'd expect for any company.

That's not necessarily a bad thing on my part, I guess I don't have to view my complaining support tickets.

I understand that the list was given but my question was directed for you Mike, not Jeremy. Thanks for taking 2 minutes out of your day though to reply.

XenForo support tickets : anyone can read a ticket via GET method

Jean-Baptiste

Well-known member

Mike

XenForo developer

Mike

XenForo developer

Shelley

Well-known member

oman

Well-known member

Shelley

Well-known member

oman

Well-known member

Jeremy

in memoriam 1991-2020

oman

Well-known member

Shelley

Well-known member

DRE

Well-known member

Mike

XenForo developer

Shelley

Well-known member

Similar threads

We value your privacy