View Issue Details

IDProjectCategoryView StatusLast Update
07382Feature requestsImport/Exportpublic2013-05-28 20:59
ReporterRince Assigned To 
PrioritynormalSeverityfeature 
Status acknowledgedResolutionopen 
Summary07382: Mailserver-Admin can guess the ID of the invited survey-user
DescriptionSince the ID for the users gets calculated by the import (so, if the import is in alphabetical order we have an incremented order also in the IDs), someone could try to guess the ID of users if he has access to the mailserver-logfiles. Since the Webserver-Admin is most of the time also the admin of the mailserver on localhost, he would now have the possibility to de-anonymize some surveys.
Additional InformationA possible solution: Randomize the sending of the mails
Instead of using the ID to sort the list to send out the invitations, use a function to randomize that list. Since every mail has to get created individually, you only have to check the range of the IDs and check for not having duplicates while sending out.

Thank you in advance ;)
TagsNo tags attached.

Activities

DenisChenu

DenisChenu

2013-05-24 19:16

developer   ~25362

Server admin can allways know what is done on is server.

tail -f /var/log/mail.log for mail ....
mlhess

mlhess

2013-05-28 20:59

reporter   ~25403

Mail is not a secure format.

Issue History

Date Modified Username Field Change
2013-05-24 19:16 DenisChenu Note Added: 25362
2013-05-28 20:59 mlhess Note Added: 25403