Open Bug 1627960 Opened 4 years ago Updated 3 years ago

Accepting an invitation sends the message to default Bcc: address too


(Calendar :: General, defect)



(Not tracked)



(Reporter: s.p.helma, Unassigned)



User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0

Steps to reproduce:

I set up a default Bcc: address in Account Settings > [Account} > Copies & Folders > Bcc these email addresses:

I click on "Accept invitation" in the invitation email.

Actual results:

The invitation acceptance message is not only sent to the person sending the invitation, but also to the Bcc: address.

Expected results:

The acceptance message should only sent to the person inviting my, but not to the Bcc: address. This can be a possible security leak. On a technical side, it is not even logical to send it to anybody else than the host and the invitees.

See also: bug 1577082, bug 1562896

Component: Untriaged → General
Keywords: privacy
Product: Thunderbird → Calendar
Version: 68 → unspecified

While I'm surprised that "works", that is what it's supposed to do. It can't be a privacy leak that Thunderbird sent a mail to the bcc you said it should send to.

Keywords: privacy

Please, let's not get us distracted by a discussion, if this is a privacy leak or not (this might be a matter of definition).

May I explain my scenario?

I work for a company where all relevant emails are collected in what we call a "sales inbox". I tend to forget to include this mailbox address in the Bcc: field, so I set it up in "Account Settings > [Account} > Copies & Folders > Bcc these email addresses:" as described. If the email should not go into the sales inbox, I simply delete the address from the Bcc: field.

When I receive an invitation and accept it, this acceptance mail is sent to the sales inbox. I don't have any control, if it is sent or not. I don't want to send all accepted invitations to the sales inbox where everybody can read it.

Since I cannot delete the Bcc: from the acceptance mail, I considered in a privacy leak. Perhaps there is a better word for it?

Severity: -- → S4
See Also: → 1562896

Magnus, it begins to dawn at me, why you think this is not a privacy leak: You believe, that because I set a default Bcc: address, I must like to have all emails bcc'ed to this address!

I use the default Bcc: address in a different way: For me it is just a reminder to bcc my email to this address. This address is my company's common mailbox. I delete this address, if it not appropriate to send my emails there. I do not bcc all my emails to this address (and definitely do not want my accepted invitation end up at this address). So not being able to control the Bcc: is a security leak for me.

It might be worth checking, if the invitation is also cc'ed to default Cc: addresses ...

You need to log in before you can comment on or make changes to this bug.