Opened 10 years ago

Closed 10 years ago

#1528 closed Bug/Something is broken (fixed)

Email quirk - accessing another user's webmail settings.

Reported by: https://id.mayfirst.org/scworkers Owned by: https://id.mayfirst.org/jamie
Priority: Urgent Component: Tech
Keywords: webmail security Cc: busman@…
Sensitive: no

Description

One of our employees is using webmail to send emails and he noticed that someone else's signature line is being append to the emails he sends. His user account is chris and his emails are christopher@ syrculturalworkers.com and christopher@ syracuseculturalworkers.com. The signature line is for a Chris Benecke at Sylvia Riveria Law Project. His email address is chris@ srlp.org. Perhaps they are another client of yours. I hope such an oddity could not be exploited by anyone. How can we remedy this?

Thanks

Change History (6)

comment:1 Changed 10 years ago by https://id.mayfirst.org/alfredo

  • Priority changed from Medium to High

SRLP is an MFPL member. Yes.

You didn't identify yourself so I'm not sure who I'm talking to here. :-)

Have him send me an email from webmail to alfredo@…. I'll take a look at what's happening. In general, the behavior you're describing would normally be impossible in webmail and so it's like a pretty huge bug. In fact, it's one I've never seen and we'd be very anxious to fix whatever is wrong.

Send me the email please as soon as you can.

Thanks

Alfredo

bumping priority to high -- possible system-wide problem

comment:2 Changed 10 years ago by https://id.mayfirst.org/alfredo

Based on the email, Chris is clearly using someone else's account.

But what we're seeing isn't possible unless he's logging into the wrong server. Are you sure Chris is logging into albizu? If not, it's still a problem but not the same problem.

comment:3 Changed 10 years ago by https://id.mayfirst.org/scworkers

Alfredo, he is logging onto his account using Albizu. Beyond that I don't know what to tell you.

John

comment:4 Changed 10 years ago by https://id.mayfirst.org/alfredo

  • Keywords webmail security added
  • Priority changed from High to Urgent

Ohhh boy!!! I was afraid of that!

Can I ask that Chris stop using webmail until we can fix this? I can't email him directly. We should have this fixed in a day or so. It could be a small matter but, as you surmised, this could be a very serious bug.

Thanks, John.

Escalating to urgent -- possible security issue

comment:5 Changed 10 years ago by https://id.mayfirst.org/scworkers

He will stop using webmail until I hear from you.

We did go into the mail section in options of webmail and replaced Chris Benecke's information with our Chris's info. That should take care of our problem, at least on the surface, but the question is how did someone else's info get in there in the first place?

Cheers,

John

comment:6 Changed 10 years ago by https://id.mayfirst.org/jamie

  • Resolution set to fixed
  • Status changed from new to closed
  • Summary changed from Email quirk to Email quirk - accessing another user's webmail settings.

Hi John - You can have your user safely begin using webmail again.

I'm fairly certain I've identified the problem. I've created a new ticket (#1532) to address the underlying problem.

The problem is not that your user chris is unintentionally accessing another user's information. The problem is that your user chris is inheriting the settings from a previously deleted user with the same login name.

With #1532 open to address the underlying problem, I'm going to close out this ticket - which I thin is resolved.

Thanks for the report!!

Please login to add comments to this ticket.

Note: See TracTickets for help on using tickets.