[BUG] Privacy Issue - Closed and secret group content visible

pixels · Feb 22, 2024

I've found a huge privacy issue with groups. For secret or closed groups, the content should be inaccessible unless the user is an approved member of that group. However, the content is viewable to anyone (including guests) that has a direct link to either the social group forum (thread list) or a topic within it.

I did some testing and this doesn't effect older threads, only more recently created threads. I'm wondering if this issue was introduced in an update.

This is a serious issue when people are expecting their content to be private and protected, but in reality it can be viewed even by guests with a link.

Truonglv · Feb 22, 2024

So users have link but not view content?

pixels · Mar 2, 2024

Truonglv - Thanks for your response.

I've been trying to troubleshoot the issue I posted above. Instead, I ended up uninstalling and doing a fresh install. There are a couple issues and questions I have about the new version.

Posting this on the xenForo support thread as well.

The old version of the add-on used to create a separate forum for each group. The new version seems to place all threads for all group forums under the forum selected in the Archive group forums to node setting.

I have deselected Display in the node list for the Social Groups container forum.

Here's the big privacy issue. If I know the URL to the Social Groups container forum, I can see all the threads listed even if I'm logged out and using guest permissions. This includes threads assigned to closed and secret groups. Of course, if I mouse over the topic title, a preview of the thread content pops up. So if someone knows where to look, these group topics have no privacy and are open to the public regardless of their group settings.

Widgets - If I include the Social Groups container forum in the new threads widget, all members can see any new topics from the social group forums regardless of whether they're a member of the group. It didn't used to be that way when the groups all had their own forum. I would really like the members to only see threads from their joined groups for privacy reasons.

Truonglv · Mar 9, 2024

It should be fixed now. Thank you

[BUG] Privacy Issue - Closed and secret group content visible

pixels

New Member

Truonglv

♥♥ √εgετα ♥♥

pixels

New Member

Truonglv

♥♥ √εgετα ♥♥

[BUG] Error in system log

[BUG] Access Denied Error when Posting Thread in Group

[FIXED] Since SG upgrade (after Discussion forums disappeared and returned) counts are now entirely off

[BUG] Upgrade to 3.6.4 removes access to Discussions from within groups, and throws error

[BUG] Privacy Issue - Closed and secret group content visible