• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

XenForo support tickets : anyone can read a ticket via GET method

allewreK

Active member
#1
Hello,

I've just checked, and anyone can read a xenforo support ticket by finding a link (you can find that link at the bottom of a support email).

https://xenforo.com/tickets/XXXXXXX/?v=XXXXXXXX

I think it's quite dangerous. With that link, anyone can reply, even guests without being logged in (and read the convo).

I know it's as designed, so the member can reply quickly with his cellphone as an example, but am I the only one who think it's dangerous for privacy ?

Regards.
 

Mike

XenForo developer
Staff member
#2
The ticket does not include an integer identifier and includes an extra validation key in a non predictable fashion. If you have the link, yes you can read it but there's no way to get the link except via the email (or a ticket history in the customer area).
 

Mike

XenForo developer
Staff member
#3
I should also note that the "sensitive data" box prevents data from being displayed back in the ticket (it's only available to us). Additionally, after a ticket has been closed for a period of time, said sensitive data is removed from the database.
 

Shelley

Well-known member
#4
Shouldn't the whole ticket be classed as sensitive data?

@Mike - Who on your staff has Ticket support access can you please provide a list?
 

oman

Well-known member
#5
Shouldn't the whole ticket be classed as sensitive data?

@Mike - Who on your staff has Ticket support access can you please provide a list?
Shelley, I believe the following have ticket access:
  • Kier
  • Mike
  • Ashley
  • Slavik
  • Jake Bunce
I know Jeremy doesn't because I asked him. Don't think Brogan does either.
 

Shelley

Well-known member
#6
Shelley, I believe the following have ticket access:
  • Kier
  • Mike
  • Ashley
  • Slavik
  • Jake Bunce
I know Jeremy doesn't because I asked him. Don't think Brogan does either.
Thanks oman. I knew those from your list had access and wondering more if that list has increased.
 

Jeremy

Well-known member
#8
Shelley, I believe the following have ticket access:
  • Kier
  • Mike
  • Ashley
  • Slavik
  • Jake Bunce
I know Jeremy doesn't because I asked him. Don't think Brogan does either.
You did?

But to answer your question, @Shelley, those 5 are the only ones with access to tickets (in addition to you have access to your own).
 

Shelley

Well-known member
#10
You did?

But to answer your question, @Shelley, those 5 are the only ones with access to tickets (in addition to you have access to your own).
The question was directed to Mike (it's a simple enough question) which he can either reply to or not. Until he confirms that then my question is still a standing one, question whether the list has changed or not or if additional people have been added to support ticket access.

Edit
 

DRE

Well-known member
#11
The ticket does not include an integer identifier and includes an extra validation key in a non predictable fashion. If you have the link, yes you can read it but there's no way to get the link except via the email (or a ticket history in the customer area).
Always wondered about how that works. I've seen the type of ticket system used here on other sites like some of my previous hosts for instance.
 

Mike

XenForo developer
Staff member
#12
Shouldn't the whole ticket be classed as sensitive data?

@Mike - Who on your staff has Ticket support access can you please provide a list?
If you want to put all the data into the sensitive data box, you're welcome to. Obviously you wouldn't have a record of your side of the conversation then.

The list of people has already been given and confirmed by a staff member. Access and personnel may change over time as you'd expect for any company.
 

Shelley

Well-known member
#13
If you want to put all the data into the sensitive data box, you're welcome to. Obviously you wouldn't have a record of your side of the conversation then.

The list of people has already been given and confirmed by a staff member. Access and personnel may change over time as you'd expect for any company.
That's not necessarily a bad thing on my part, I guess I don't have to view my complaining support tickets.

I understand that the list was given but my question was directed for you Mike, not Jeremy. Thanks for taking 2 minutes out of your day though to reply.