Forum security risk. URGENT!

I recently got confused over private messaging and that "activity" feature of this forum. What I thought was a private message ended up plastered into a public "activity" area.

Turns out I am not alone in this confusion. Many other people have made the same mistake.

Looking at my activity area now I see many messages that were obviously intended to be private. How do I know that, they say so like this:

"I don't think it would be in the best interest of Parallax for me to ask this question publicly, so I'm asking it privately."

There are messages there between forum members discussing me. Obviously those messages were not intended for my eyes.

This is a grave privacy concern. The "activity" areas is not just brain dead. It's dangerous.

Please remove it as soon as possible.





«1

Comments

  • 43 Comments sorted by Date Added Votes
  • Well if it's any comfort to you I tried stalking you and got bored after about 15 seconds, or 3 clicks.
    Founder of Kinvert
    https://www.kinvert.com/
  • Hi Heater,

    The activity feature acts like a common whiteboard. I wouldn't call it a security risk.. In fact its fairly helpful in catching a high % of spammers too before they get to the main forum pages.

    That said, I don't disagree that the MESSAGE button which appears in every users profile for sending pm's could be a bit more obvious (or at least explained). So your feedback noted!

  • PublisonPublison Posts: 9,774
    edited October 2015 Vote Up0Vote Down
    I kinda agree with heater. Its not necessary, and confusing to new users, (and old ones too).

    Without it, the blogs would not get posted there, and would be easier to find on the main forum page.

    As Moderators, we would not see the newly signed up members, which we can catch deliberate spammers, so it's a catch 22.

    I sent a email to Bumb to see if we can delete the Activity area. I'm not sure they can do that.
    Infernal Machine
  • This is one of those situations where the both of you are right. I think I'll stay out of further discussions on it.
  • @Keith,

    Sorry to be so boring as to be unworthy of stalking after 15 seconds. On the other hand you have spent more than 15 seconds writing that statement. I will leave it to others to figure out what that means.

    @VonSzarvas,

    Given the number of messages I see that are obviously intended to be private but published publicly I would call it a "privacy risk". There is no two ways about what is happening here.

    So, yes, something more obvious to distinguish "public white board" from "private message" is obviously required.

    But, but, isn't the forum itself supposed to be a public white board? This "activity" thing is totally redundant. As well as dangerous.

  • LoopyBytelooseLoopyByteloose Posts: 12,537
    edited October 2015 Vote Up0Vote Down
    It certainly is a privacy risk to anyone that hasn't figured out the hazard potential.

    Of course, you don't have to be the sender of the message to have your privacy violated, you can be an unexpected recipient... tarred with the contents of something that was unsolicted.

    After that, one simply begins to distrust privacy in general on the Forums. Is that the objective or an undesired side-effect?

    Parallax took promt action to fix this problem... by writing a Tutorial on how to write private messages. Kinda of a band-aid approach.
    Hwang Xian Shen, Puddleby-on-the-Marsh.
    All things considered, I can live and thrive without Microsoft products. LINUX is just fine.
  • VonSzarvasVonSzarvas Posts: 1,042
    edited October 2015 Vote Up0Vote Down
    Ok chaps, lets not let this turn into a new conspiracy. All points are noted, and everyone has an opinion on what they feel is right or wrong.

    Both Jim and I are in agreement that some benefit could be had from looking at the activity feature again, and that has been fed back to Parallax. Lets wait and see what the input is from Parallax before we burn the candle from all 3 sides.

    One of the mods will update on this thread in a few days.

    Thanks all.

    Edit: strike tongue-in-cheek quip; misunderstanding avoidance.
  • VonSzarvas,

    No suggestion of conspiracy here. I'm sure everyone involved means well. I certainly don't mean to imply otherwise.

    Just bringing to attention miss-features of the forum software. Features that may not be working as people expected.

  • I just went there for the first time. Wow, what a mess. It looks like half of what's there was intended to be private messages. Little did they know.
    - Rick
  • Activity is still a valuable device to have for the Moderators. It let's us see the new forum members joining. I check IP addresses right away to see if they will be a problem.

    I am waiting to hear to see if the "Activity" portion can only be available to Admins or Mods. Monday at the earliest.

    And if anyone is concerned, Moderators can not see PM's, only the the stuff in "Activity", as can any member logged in.

    Infernal Machine
  • I'm not thrilled with it either.

    But I'm going to let all of you Mods figure it out on your own before deciding what I'll do with it.
  • I see it like a simple public address system. We really do need to make private messages more clear though.

    Do not taunt Happy Fun Ball! @opengeekorg ---> Be Excellent To One Another SKYPE = acuity_doug
    Parallax colors simplified: http://forums.parallax.com/showthread.php?123709-Commented-Graphics_Demo.spin<br>
  • Yes!!!! Potatohead is on to something. If the moderators really desire Activity, they can keep it. But just make Private Messages obviously private rather than having to publish a tutorial on what not to do.

    In other words, the HTML pages between the two are overly integrated. I have no idea what inspired that, but get rid of it.

    It also might help to make it a bit more clear about how to remove a message from the Activity page. As it is, there is a tiny icon that one has to discover. I do realize that the fonts are trying to provide service for pad phones, netbooks, notebooks and desktops -- but trying to discover that tiny icon was difficult. How about a more concise box with 'delete'?
    Hwang Xian Shen, Puddleby-on-the-Marsh.
    All things considered, I can live and thrive without Microsoft products. LINUX is just fine.
  • Publison wrote: »
    Activity is still a valuable device to have for the Moderators. It let's us see the new forum members joining. I check IP addresses right away to see if they will be a problem.
    It shouldn't be necessary for moderators to depend on something like 'Activity' for that. On forums I have moderated the moderators had access to that information *without* having to depend on something ad-hoc and public like the terrible 'Activity' page. Certainly this forum software must have moderator tools built-in? For moderators only?

    -Tor

  • ...How about a more concise box with 'delete'?
    This should also apply to the 'Inbox'. I have a PM there that I do not know how to delete.

    Ray
  • SeairthSeairth Posts: 2,245
    edited October 2015 Vote Up0Vote Down
    Simple solution. Don't present the activity edit box immediately. Like the private message, require a user to click on a button. It doesn't even need to go to a separate page, just manipulate a hidden div element on the current page. That way, automated spammers will likely still act just like they do now.

    Edit: at the very least, change "message" to "send private message". This can be done right now while a more appropriate solution is devised.
  • Wow!
    That's what I want. Good show there.
  • I know about the difference between Activity and Private Messages but just a few days ago I posted what I thought was a private message to erco's activity page. I quickly realized my mistake and deleted the activity message.
    I agree with those thinking something should be done about this.
  • Then there we go. It can be considered a last word on the subject.
  • or not.......
  • Parallax is looking into suppressing "Activity" from all, except Administrators and Moderators. They are kind of busy, so it will not happen overnight.

    Infernal Machine
  • Excellent news Publison. Thanks.

  • Great news. I don't think people are seriously using it.

    Do not taunt Happy Fun Ball! @opengeekorg ---> Be Excellent To One Another SKYPE = acuity_doug
    Parallax colors simplified: http://forums.parallax.com/showthread.php?123709-Commented-Graphics_Demo.spin<br>
  • potatohead,

    For sure nobody is using it seriously. Why would they?

    Point is to stop them using it accidentally thinking that what they are writing is private.

  • Well, I did a test post or two thinking people might be reading, like they would the blogs on the old forum software.

    From what I can tell, nobody used the feature as intended.

    As intended, it's just a PA type thing, good for a quick shoutout, etc...

    We just don't do that in this community. So, it's a no brainer. Ditch it.
    Do not taunt Happy Fun Ball! @opengeekorg ---> Be Excellent To One Another SKYPE = acuity_doug
    Parallax colors simplified: http://forums.parallax.com/showthread.php?123709-Commented-Graphics_Demo.spin<br>
  • potatohead,
    ...like they would the blogs on the old forum software.
    Did anyone use the "blogs" on the old forum software?

    I don't get it.

    If I want to discuss something I start a thread here and see what happens.

    If want to write my own serious content I use a blog site or whatever or set up my own.








  • Spammers are using it to post Blogs, but they get nipped in the bud right away.

    Hopefully Parallax will go forward to get it removed.

    (I'm just a Mod and can not change the software, only suggestions from what you guys want. I'm one your side).
    Infernal Machine
  • Rsadeika wrote: »
    ...How about a more concise box with 'delete'?
    This should also apply to the 'Inbox'. I have a PM there that I do not know how to delete.

    Ray

    Thanks, Ray... I feared that I might be the only one having had difficulty with locating the Delete.

    HINT -- Look for the tiny bold X. In my case, I think the display actually offers up only the left hand side of the X .... and that is why I didn't catch on for a while.

    Why only half? Perhaps, something is odd about the relationship between the selected Font and the HTML layout giving enough space for whole characters.

    Hwang Xian Shen, Puddleby-on-the-Marsh.
    All things considered, I can live and thrive without Microsoft products. LINUX is just fine.
  • Yes, people did use blogs. They were good for a variety of discussion cases.

    One simply was to have a discussion off the beaten path. Sometimes quieter.
    Do not taunt Happy Fun Ball! @opengeekorg ---> Be Excellent To One Another SKYPE = acuity_doug
    Parallax colors simplified: http://forums.parallax.com/showthread.php?123709-Commented-Graphics_Demo.spin<br>
  • Yes, there were A LOT of useful Blogs that got lost with the upgrade.
    Infernal Machine
Sign In or Register to comment.