Support Tickets

Nikolaos · 25 Jan 2012, 05:16 AM

Just noticed to my surprise that Fastmail support tickets are publicly viewable by all on the net and not walled within a protected login area.

I'm rather glad I have never yet put any confidential information into a ticket, though it does bother me that some of my email addresses which I have always kept private and free from spam are now on the web and potentially available for harvesting by enterprising data miners/spammers.

I do realize the urls are quite mangled and probably unguessable by harvesting bots, but then again technology is always advancing - whatever man can invent, another man will probably eventually top

Is there some way to make a ticket private/protected which I don't know of?

If not, is there any chance of these tickets being secured in future?

I would respectfully like to suggest a protected implementation if at all possible. I know this would be a major undertaking, but surely it would be a good investment against potential future security problems...

n5bb · 25 Jan 2012, 11:21 AM

Why do you think that Fastmail support tickets are viewable by others? As far as I can see, you must log into Fastmail before viewing your support tickets. I don't see any support tickets visible to a web search.

Fastmail web pages (including the support system) use cookies and special URL's and secure sessions to insure you are logged in while viewing those screens. After logging out (not just closing your browser, but clicking the log out link) those old URL's should not work.

If you have discovered some hole in their system, I suggest not posting here, but instead filing a support request with this information by logging into your Fastmail account and using the Start Here link at the bottom.

Bill

Nikolaos · 25 Jan 2012, 12:47 PM

I actually discovered this accidentally while reading some old threads on this board the other day!

Someone had posted a url to their ticket, and I was astonished to find that I was able to read it by going to that url. I then checked on my own tickets, and found that the url given in the "ticket url" line is accessible regardless of whether I am logged in or not. If I am not mistaken you can actually even post a response to a live ticket, while not logged in, and it will appear as being attributed to the fastmail user who opened that ticket.

(Also - I clean my cookies and cache etc all the time, and this was done prior to trying this out. I noted that my username did not appear at the top bar, and that the "login" link was showing, so clearly the system had no record of me or my prior logins while I was testing this.)

I don't believe this is an unintentional hole in their system, since they are clearly providing the "ticket url" on purpose. That's why I said I was surprised, as I have not prior to now encountered any helpdesk system that did not first require a login in order to view such tickets.

I am responding to your question here as it does not seem to be any big secret - as I said above, I only found out about it via a prior posting on this forum.

n5bb · 25 Jan 2012, 01:16 PM

Wow! You are correct! I found the thread you probably found. If I was that poster, I would never post those details in public. The URL has a random string, so I don't think there is any chance it would be discovered unless you released the URL.

Bill

ewal · 13 Feb 2012, 12:33 AM

Bill / Nikolaos,

Is the particular ticket URL you guys are discussing cached in any search engine? If so this is deeply worrying.

Ed

n5bb · 13 Feb 2012, 06:42 AM

Quote:

Originally Posted by ewal

Is the particular ticket URL you guys are discussing cached in any search engine? If so this is deeply worrying.

I have no way to determine if that URL posted in an open forum by the user has been cached by any search engine as a search term. I can tell you that the URL isn't found by a Google search. But that thread was spidered by Google and BoardReader, as is most content in EMD. The poster must have understood this risk, since they posted the URL to their own support ticket asking others to read it.

And I don't understand why caching by a search engine of information posted in a public forum by the user is worrying. The user chose to release that private information on a public site. I would not recommend that course of action, but it is what they chose.

Bill

ewal · 13 Feb 2012, 06:48 AM

No, I was thinking if search bots are able to spider over the support ticket system which would be worrying.

Obviously bots are all over this forum site.

Sorry if I was not clear.

Ed

n5bb · 13 Feb 2012, 06:55 AM

No, I can't imagine how a search engine could find the tickets by itself. It requires the user to post them publicly where they can be spidered by a search engine. Fastmail needs some way to share them internally and with the user who posted them, and right now they don't seem to have any way to do this other than a very odd URL. I'm surprised that Fastmail doesn't have a way to limiting access to those URL's.

Bill

25 Jan 2012, 05:16 AM	#1
Nikolaos Essential Contributor Join Date: Dec 1999 Posts: 345	Support Tickets Just noticed to my surprise that Fastmail support tickets are publicly viewable by all on the net and not walled within a protected login area. I'm rather glad I have never yet put any confidential information into a ticket, though it does bother me that some of my email addresses which I have always kept private and free from spam are now on the web and potentially available for harvesting by enterprising data miners/spammers. I do realize the urls are quite mangled and probably unguessable by harvesting bots, but then again technology is always advancing - whatever man can invent, another man will probably eventually top Is there some way to make a ticket private/protected which I don't know of? If not, is there any chance of these tickets being secured in future? I would respectfully like to suggest a protected implementation if at all possible. I know this would be a major undertaking, but surely it would be a good investment against potential future security problems...

25 Jan 2012, 12:47 PM	#3
Nikolaos Essential Contributor Join Date: Dec 1999 Posts: 345	I actually discovered this accidentally while reading some old threads on this board the other day! Someone had posted a url to their ticket, and I was astonished to find that I was able to read it by going to that url. I then checked on my own tickets, and found that the url given in the "ticket url" line is accessible regardless of whether I am logged in or not. If I am not mistaken you can actually even post a response to a live ticket, while not logged in, and it will appear as being attributed to the fastmail user who opened that ticket. (Also - I clean my cookies and cache etc all the time, and this was done prior to trying this out. I noted that my username did not appear at the top bar, and that the "login" link was showing, so clearly the system had no record of me or my prior logins while I was testing this.) I don't believe this is an unintentional hole in their system, since they are clearly providing the "ticket url" on purpose. That's why I said I was surprised, as I have not prior to now encountered any helpdesk system that did not first require a login in order to view such tickets. I am responding to your question here as it does not seem to be any big secret - as I said above, I only found out about it via a prior posting on this forum. Last edited by Nikolaos : 25 Jan 2012 at 12:54 PM.

25 Jan 2012, 11:21 AM	#2
n5bb Intergalactic Postmaster Join Date: May 2004 Location: Irving, Texas Posts: 8,930	Why do you think that Fastmail support tickets are viewable by others? As far as I can see, you must log into Fastmail before viewing your support tickets. I don't see any support tickets visible to a web search. Fastmail web pages (including the support system) use cookies and special URL's and secure sessions to insure you are logged in while viewing those screens. After logging out (not just closing your browser, but clicking the log out link) those old URL's should not work. If you have discovered some hole in their system, I suggest not posting here, but instead filing a support request with this information by logging into your Fastmail account and using the Start Here link at the bottom. Bill

25 Jan 2012, 01:16 PM	#4
n5bb Intergalactic Postmaster Join Date: May 2004 Location: Irving, Texas Posts: 8,930	Wow! You are correct! I found the thread you probably found. If I was that poster, I would never post those details in public. The URL has a random string, so I don't think there is any chance it would be discovered unless you released the URL. Bill

13 Feb 2012, 12:33 AM	#5
ewal Master of the @ Join Date: Apr 2002 Location: West Sussex, UK Posts: 1,334	Bill / Nikolaos, Is the particular ticket URL you guys are discussing cached in any search engine? If so this is deeply worrying. Ed

13 Feb 2012, 06:48 AM	#7
ewal Master of the @ Join Date: Apr 2002 Location: West Sussex, UK Posts: 1,334	No, I was thinking if search bots are able to spider over the support ticket system which would be worrying. Obviously bots are all over this forum site. Sorry if I was not clear. Ed

13 Feb 2012, 06:55 AM	#8
n5bb Intergalactic Postmaster Join Date: May 2004 Location: Irving, Texas Posts: 8,930	No, I can't imagine how a search engine could find the tickets by itself. It requires the user to post them publicly where they can be spidered by a search engine. Fastmail needs some way to share them internally and with the user who posted them, and right now they don't seem to have any way to do this other than a very odd URL. I'm surprised that Fastmail doesn't have a way to limiting access to those URL's. Bill