XenForo support tickets : anyone can read a ticket via GET method

Jean-Baptiste

Jean-Baptiste

Well-known member
Hello,

I've just checked, and anyone can read a xenforo support ticket by finding a link (you can find that link at the bottom of a support email).

https://xenforo.com/tickets/XXXXXXX/?v=XXXXXXXX

I think it's quite dangerous. With that link, anyone can reply, even guests without being logged in (and read the convo).

I know it's as designed, so the member can reply quickly with his cellphone as an example, but am I the only one who think it's dangerous for privacy ?

Regards.
 
The ticket does not include an integer identifier and includes an extra validation key in a non predictable fashion. If you have the link, yes you can read it but there's no way to get the link except via the email (or a ticket history in the customer area).
 
I should also note that the "sensitive data" box prevents data from being displayed back in the ticket (it's only available to us). Additionally, after a ticket has been closed for a period of time, said sensitive data is removed from the database.
 
Shouldn't the whole ticket be classed as sensitive data?

@Mike - Who on your staff has Ticket support access can you please provide a list?
 
Shelley said:
Shouldn't the whole ticket be classed as sensitive data?

@Mike - Who on your staff has Ticket support access can you please provide a list?
Click to expand...

Shelley, I believe the following have ticket access:
  • Kier
  • Mike
  • Ashley
  • Slavik
  • Jake Bunce
I know Jeremy doesn't because I asked him. Don't think Brogan does either.
 
oman said:
Shelley, I believe the following have ticket access:
  • Kier
  • Mike
  • Ashley
  • Slavik
  • Jake Bunce
I know Jeremy doesn't because I asked him. Don't think Brogan does either.
Click to expand...

Thanks oman. I knew those from your list had access and wondering more if that list has increased.
 
oman said:
Shelley, I believe the following have ticket access:
  • Kier
  • Mike
  • Ashley
  • Slavik
  • Jake Bunce
I know Jeremy doesn't because I asked him. Don't think Brogan does either.
Click to expand...
You did?

But to answer your question, @Shelley, those 5 are the only ones with access to tickets (in addition to you have access to your own).
 
Jeremy said:
You did?

But to answer your question, @Shelley, those 5 are the only ones with access to tickets (in addition to you have access to your own).
Click to expand...

The question was directed to Mike (it's a simple enough question) which he can either reply to or not. Until he confirms that then my question is still a standing one, question whether the list has changed or not or if additional people have been added to support ticket access.

Edit
 
Mike said:
The ticket does not include an integer identifier and includes an extra validation key in a non predictable fashion. If you have the link, yes you can read it but there's no way to get the link except via the email (or a ticket history in the customer area).
Click to expand...
Always wondered about how that works. I've seen the type of ticket system used here on other sites like some of my previous hosts for instance.
 
Shelley said:
Shouldn't the whole ticket be classed as sensitive data?

@Mike - Who on your staff has Ticket support access can you please provide a list?
Click to expand...
If you want to put all the data into the sensitive data box, you're welcome to. Obviously you wouldn't have a record of your side of the conversation then.

The list of people has already been given and confirmed by a staff member. Access and personnel may change over time as you'd expect for any company.
 
Mike said:
If you want to put all the data into the sensitive data box, you're welcome to. Obviously you wouldn't have a record of your side of the conversation then.

The list of people has already been given and confirmed by a staff member. Access and personnel may change over time as you'd expect for any company.
Click to expand...

That's not necessarily a bad thing on my part, I guess I don't have to view my complaining support tickets.

I understand that the list was given but my question was directed for you Mike, not Jeremy. Thanks for taking 2 minutes out of your day though to reply.
 
You must log in or register to reply here.

Similar threads

Ozzy47
[OzzModz] Building A New Forum Following 11 Useful Tips
Replies
8
Views
4K
Kleazy
Kleazy
flowerpot132
Can anyone recommend a ticket system please?
Replies
15
Views
1K
Alpha1
Alpha1
Dadparvar
My experience with XF1 paid resources (Add Yours)
2
Replies
34
Views
4K
Bionic Rooster
Bionic Rooster
Rasbelin
Other Custom coding/add-on and layout/template development (PAID)
Replies
4
Views
3K
Rasbelin
Rasbelin
Disrelation
  • Locked
What can be done?
Replies
4
Views
783
Slavik
Slavik
Top Bottom