View Issue Details

IDProjectCategoryView StatusLast Update
0001129Main CAcert Websiteaccount administrationpublic2015-02-03 21:22
ReporterWerner Dworak Assigned Tojanmaco  
PriorityhighSeveritymajorReproducibilityalways
Status needs reviewResolutionopen 
Product Version2012 Q4 
Summary0001129: When SE reveals the five secred questions and answers no warning is sent to the member
DescriptionI am Support Engineer. When on the life system at the SE console I open my own account and I reveal the five secret questions, no warning mail to my account is created. I did the same on the test server with a foreign account, here the same.

On the other side if at "My Details" I open "Edit", the I get the warning mail as I should.
TagsNo tags attached.
Reviewed byBenBE
Test Instructionsview the 5 PW questions in the support console, check if there was a mail send to the account that was looked at

Relationships

related to 0000860 closedBenBE someone accessed your password and secret questions page, plz change pwd translation mixed and garbled, text is tanslated in TL 
related to 0000408 confirmed Improve the 5 QA warning message sent to the user on 5 QA set access 
related to 0001138 closedNEOatNHNG Implement to log the SE activity 
related to 0000028 closedNEOatNHNG 0000026 Wrong language for ''you've been assured'' & ''[CAcert.org] Client Certificate'' emails 
related to 0000612 needs review & testingNEOatNHNG Add IP address and time stamp to someone viewed your lost password questions notice. 
related to 0001092 needs workNEOatNHNG Mail is not send on Menue Click when Support Engineer ist looking at it 
related to 0001135 closedegal Extend database table AdminLog et al 

Activities

janmaco

2014-12-23 23:34

updater   ~0005200

Last edited: 2014-12-24 11:12

View 3 revisions

I have a patch for this bug here: https://github.com/yellowant/cacert-devel/commit/8ff237fcab255eb1f3645c496a7a9414b7e377f4 (depending on bug 612)

Eva

2015-01-20 21:38

updater   ~0005248

I logged in as support admin. I looked up an account and checked the pw questions for that account.

Afterwards I got a mail.

-> ok so far.

BUT the mail itself has 2 issues:
a) it did NOT tell that the lookup was done by a support engineer, but: "You receive this automatic mail since you yourself or someone else looked "

That is confusing, as it is definitly clear that it was NOT done by "you". On the contrary it is clear that it was done by support.

This information is quite relevant to have if one has requested support to look up those questions, as then one knows why a lookup by support is taking place. But the text implies that it was done by a user, so it looks like a hack to the account.

B) The mail contains parts of the ip address of the support engineer.

There is definitly no need for this, especially if the mail tells you that it was done by support. The access IS logged in the account history as support activity. Any supporter can look up WHO did the support access, if they get asked for this. This is enough to identify the support team member - even better as with an anonymised ip address.

As such access mostly should be done by someone who was asked to do it by the user and by this is allowed to do this by the SP. There is no reason to force to reveal any personal identifiable data about the support engineer in this case, even not partly. It is of no relevance where on the world the support engineer is staying while doing support work.

IIF this information is needed it could be checked via logs. Those have to exist because of:
SP 8.4. Records and Logs
 use of restricted interfaces must be logged.

=> it is working but the mail text is not matching the needs

janmaco

2015-01-20 22:15

updater   ~0005252

Maybe a fix regarding to note 0005248: https://github.com/yellowant/cacert-devel/commit/f4640b86d408433a0aea7ff9665e12f6f204c38d

BenBE

2015-01-20 22:57

updater   ~0005253

The mail text has been changed for the support engineer case.

felixd

2015-01-20 23:19

updater   ~0005255

Test:

This mail still gets sent. There is no Subnet anymore. There is still the Time.

PASSED

Eva

2015-01-21 22:08

updater   ~0005258

I logged into an admin account and looked up an account. I entered a ticket number and looked at the PW details.

I checked the mails for the users account. An information mail was there.
-> ok

The mail did not reveal information about the identity of the support team member who did the lookup.
-> ok

The mail was addressing correctly the situation that the PW details were looked up from the support console and not via a normal user access (of the users account).
-> ok

I also verified that:
- the PW lookup was displayed in the admin log table from support with the name of the support account from which I had looked at the PW details.
- the PW lookup was displayed in the users account history but without the name of the support account.

-> both were correct.


The wording of the mail was not optimal. I would prefer a "because" instead of a "since" in the first line. But that is only a minor detail.

=> ok

janmaco

2015-01-21 22:12

updater   ~0005259

Replaced 'since' with 'because': https://github.com/yellowant/cacert-devel/compare/011b4c1a1538...c564dabc866e

Eva

2015-02-03 20:45

updater   ~0005302

I did the same checks as before. Everything is correct. -> ok
"since" was replaced with "because" in the email -> ok

=> ok

felixd

2015-02-03 21:21

updater   ~0005303

I also retested. The mail still gets sent. The text was improved

=> test PASSED

Patrick

2015-02-03 21:22

updater   ~0005304

I did the same checks as Eva did, and got the same results. -> ok

=> ok

Issue History

Date Modified Username Field Change
2012-12-18 14:14 Werner Dworak New Issue
2012-12-18 14:37 Werner Dworak Relationship added related to 0000612
2012-12-20 16:39 Werner Dworak Relationship added related to 0001092
2012-12-27 08:57 Werner Dworak Status new => needs work
2013-01-07 23:11 Werner Dworak Relationship added related to 0000860
2013-01-07 23:46 Werner Dworak Relationship added related to 0000408
2013-01-09 14:42 Werner Dworak Relationship added related to 0001135
2014-04-29 20:56 INOPIAE Relationship added related to 0001138
2014-06-15 13:05 felixd Relationship added related to 0000028
2014-12-23 23:34 janmaco Note Added: 0005200
2014-12-23 23:34 janmaco Note Edited: 0005200 View Revisions
2014-12-24 11:12 janmaco Note Edited: 0005200 View Revisions
2015-01-13 22:06 janmaco Assigned To => janmaco
2015-01-13 22:06 janmaco Status needs work => fix available
2015-01-14 00:29 BenBE Reviewed by => BenBE
2015-01-14 00:29 BenBE Status fix available => needs review & testing
2015-01-14 00:29 BenBE Product Version => 2012 Q4
2015-01-20 21:11 Eva Test Instructions => view the 5 PW questions in the support console, check if there was a mail send to the account that was looked at
2015-01-20 21:38 Eva Note Added: 0005248
2015-01-20 22:15 janmaco Note Added: 0005252
2015-01-20 22:57 BenBE Note Added: 0005253
2015-01-20 23:19 felixd Note Added: 0005255
2015-01-21 22:08 Eva Note Added: 0005258
2015-01-21 22:12 janmaco Note Added: 0005259
2015-02-03 20:45 Eva Note Added: 0005302
2015-02-03 21:21 felixd Note Added: 0005303
2015-02-03 21:21 felixd Status needs review & testing => needs review
2015-02-03 21:22 Patrick Note Added: 0005304