|
FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc. |
|
Thread Tools |
25 Jan 2012, 05:16 AM | #1 |
Essential Contributor
Join Date: Dec 1999
Posts: 345
|
Support Tickets
Just noticed to my surprise that Fastmail support tickets are publicly viewable by all on the net and not walled within a protected login area.
I'm rather glad I have never yet put any confidential information into a ticket, though it does bother me that some of my email addresses which I have always kept private and free from spam are now on the web and potentially available for harvesting by enterprising data miners/spammers. I do realize the urls are quite mangled and probably unguessable by harvesting bots, but then again technology is always advancing - whatever man can invent, another man will probably eventually top Is there some way to make a ticket private/protected which I don't know of? If not, is there any chance of these tickets being secured in future? I would respectfully like to suggest a protected implementation if at all possible. I know this would be a major undertaking, but surely it would be a good investment against potential future security problems... |
25 Jan 2012, 11:21 AM | #2 |
Intergalactic Postmaster
Join Date: May 2004
Location: Irving, Texas
Posts: 8,930
|
Why do you think that Fastmail support tickets are viewable by others? As far as I can see, you must log into Fastmail before viewing your support tickets. I don't see any support tickets visible to a web search.
Fastmail web pages (including the support system) use cookies and special URL's and secure sessions to insure you are logged in while viewing those screens. After logging out (not just closing your browser, but clicking the log out link) those old URL's should not work. If you have discovered some hole in their system, I suggest not posting here, but instead filing a support request with this information by logging into your Fastmail account and using the Start Here link at the bottom. Bill |
25 Jan 2012, 12:47 PM | #3 |
Essential Contributor
Join Date: Dec 1999
Posts: 345
|
I actually discovered this accidentally while reading some old threads on this board the other day!
Someone had posted a url to their ticket, and I was astonished to find that I was able to read it by going to that url. I then checked on my own tickets, and found that the url given in the "ticket url" line is accessible regardless of whether I am logged in or not. If I am not mistaken you can actually even post a response to a live ticket, while not logged in, and it will appear as being attributed to the fastmail user who opened that ticket. (Also - I clean my cookies and cache etc all the time, and this was done prior to trying this out. I noted that my username did not appear at the top bar, and that the "login" link was showing, so clearly the system had no record of me or my prior logins while I was testing this.) I don't believe this is an unintentional hole in their system, since they are clearly providing the "ticket url" on purpose. That's why I said I was surprised, as I have not prior to now encountered any helpdesk system that did not first require a login in order to view such tickets. I am responding to your question here as it does not seem to be any big secret - as I said above, I only found out about it via a prior posting on this forum. Last edited by Nikolaos : 25 Jan 2012 at 12:54 PM. |
25 Jan 2012, 01:16 PM | #4 |
Intergalactic Postmaster
Join Date: May 2004
Location: Irving, Texas
Posts: 8,930
|
Wow! You are correct! I found the thread you probably found. If I was that poster, I would never post those details in public. The URL has a random string, so I don't think there is any chance it would be discovered unless you released the URL.
Bill |
13 Feb 2012, 12:33 AM | #5 |
Master of the @
Join Date: Apr 2002
Location: West Sussex, UK
Posts: 1,334
|
Bill / Nikolaos,
Is the particular ticket URL you guys are discussing cached in any search engine? If so this is deeply worrying. Ed |
13 Feb 2012, 06:42 AM | #6 | |
Intergalactic Postmaster
Join Date: May 2004
Location: Irving, Texas
Posts: 8,930
|
Quote:
And I don't understand why caching by a search engine of information posted in a public forum by the user is worrying. The user chose to release that private information on a public site. I would not recommend that course of action, but it is what they chose. Bill |
|
13 Feb 2012, 06:48 AM | #7 |
Master of the @
Join Date: Apr 2002
Location: West Sussex, UK
Posts: 1,334
|
No, I was thinking if search bots are able to spider over the support ticket system which would be worrying.
Obviously bots are all over this forum site. Sorry if I was not clear. Ed |
13 Feb 2012, 06:55 AM | #8 |
Intergalactic Postmaster
Join Date: May 2004
Location: Irving, Texas
Posts: 8,930
|
No, I can't imagine how a search engine could find the tickets by itself. It requires the user to post them publicly where they can be spidered by a search engine. Fastmail needs some way to share them internally and with the user who posted them, and right now they don't seem to have any way to do this other than a very odd URL. I'm surprised that Fastmail doesn't have a way to limiting access to those URL's.
Bill |