Closed Bug 163551 Opened 21 years ago Closed 7 years ago

Implement complete email address privacy

Categories

(Bugzilla :: User Accounts, enhancement, P2)

Product:
Bugzilla
Component:
User Accounts
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 6.0

People

(Reporter: MatsPalmgren_bugz, Assigned: gerv)

References

(Blocks 1 open bug)

Details

(Keywords: privacy) 

I would like to be able to hide my email-address from any user using
Bugzilla. This means changes in a lot of areas I guess, here are a few from
the top of my head:

1 A new email pref of course ("Don't reveal my email address...")

2 All emails to me that also reaches other users (To or CC) should automatically
  move my address to Bcc instead.

3 In bug listings the "mailto:" link should just display my name or (if you feel
  inspired) be a link to "send message form" that "proxy" the email so that the
  final destination is not revealed to the sender.

4 In the a bug report where I have made a comment or am the reporter there is
  again a "mailto:" link. This can removed or be a link to a form that posts
  the message as a new comment to the bug in question, it could even have some
  parts of the text generated - for example when you click on "Mats Palmgren"
  in a comment such as:
------- Additional Comment #1 From Mats Palmgren  2002-08-19 15:50 -------

  The text "In reply to Mats Palmgren in comment 1:" could be generated.

5 I see that there are requests to spread email addresses even more (like the
  X-Bugzilla-Who: request in bug 137261 for example). Such fields should not
  be sent (or send my name instead) when I have selected the pref in 1.

6 etc. there probably lots of other places I haven't thought of...


This request is of course to limit the risc of being SPAMMED.
Please have this risc in mind when considering "X-Bugzilla-Who:"
and similar requests.

Thanks,
Mats
*** Bug 163546 has been marked as a duplicate of this bug. ***
2) Mail is only sent via To, but its only sent to one person at a time - ie
theres a separat email for each person, so that problem isn't an issue

5) X-Bugzilla-Who would require a spammer to be ccd on the appropriate bug -
there are easier ways to get addresses.

This is probably a dupe of bug 120030, but not entirely.
I have a dedicated Bugzilla email address and I just received spam to it.  This
is a serious hole.
same here. I just got spam on my (dedicated) bugzilla email address. not 
impressed people. I use this to help you improve the program. It is not an 
invitation to receive more spam. but unfortunately now I am stuck with it, that 
email address will soon be unusable, and I will have to get another one. great. 
thanks.
A suitable solution is described at: http://www.htmldog.com/ptg/archives/000063.php

This would require minimal application changes. Much less intrusive than new
configuration values, internal messaging systems, etc.
(In reply to comment #5)
> A suitable solution is described at:
http://www.htmldog.com/ptg/archives/000063.php
> 
> This would require minimal application changes. Much less intrusive than new
> configuration values, internal messaging systems, etc.

The first solution listed there we already use (entity encoding).  The second
one would require MAJOR application changes (the javascript thing) to get it in
use everywhere we have email addresses displayed.
In order to have complete email address privacy, you need something that is
not an email address to put in boxes such as "Reassign bug to", "Add CC",
"Requestee", search boxes, etc.

To me the obvious way to do this is what most online forums etc. do, which is 
to have a login name that is not necessarily an email address.

I filed a bug about this, bug 218917, but reading it back it had seemed barely 
intelligible, with the actual suggestion was lost somewhere in the original 
comment!

Would there be any objection to me duping that bug against this, and providing 
a summary of my (further) thoughts to date? It actually works out as a rather 
less intrusive change (code-wise) than you might think, because login_name is 
used all over the place, but email_address need not be.
> Would there be any objection to me duping that bug against this, and providing 
> a summary of my (further) thoughts to date?

Sounds like a good idea, but then make this a meta bug and file separate bugs on
each specific change that improves email privacy, f.e. arbitrary usernames.

I forgot I'd intended to link these bugs together... but now I think about it 
again, I think a dependency is the correct relationship rather than dupe.

Bug 218917 could (should?) be implemented in a way that only the login_name and 
never the email_address is shown to *other* users, but it doesn't have to 
provide this privacy, so is only a step towards this (and there may well be 
other bugs which provide other steps towards it from different directions).
Depends on: 218917
QA Contact: mattyt-bugzilla → default-qa
Assignee: myk → user-accounts
(In reply to comment #0)
> 3. In bug listings the "mailto:" link should just display my name or (if you 
> feel inspired) be a link to "send message form" that "proxy" the email so 
> that the final destination is not revealed to the sender.

This was proposed in Bug 215439, but it was opposed (even if I've not understood why)
Priority: -- → P5
To summarize bug 450295 above:
When following the "show votes" links, the voters email addresses are displayed
in clear to any visitors, thus exposing them to spam bots.

Bug number 215439 is active, please Vote for it!

https://bugzilla.mozilla.org/show_bug.cgi?id=215439

as it addresses this problem.
I'm getting more and more spams on my bugzilla address.
Even people without a bugzilla account can harvest my email address.
7 years later, and it still s****. 
Privacy issues should get immediate attention. Bug 218917 would be a good start.
Keywords: privacy
Version: 2.17 → unspecified
Bugzilla is compromising the user's privacy, which is clearly a bug, not an enhancement (-> critical).
Severity: enhancement → critical
Please work on this...
Websites that can't preserve a person's privacy and prevent SPAM are worthless.

And, it is not just the "to" line.

I just got a message CC'd to me...

User a.b@c.com changed.....
Added a.b@c.com to cc list
comment #4 from a.b@c.com 

The user's e-mail address showed up 2 or 3 times in each message about the bug.

While e-mail addresses on the website are hidden without logging in, they are wide open EVERYWHERE once a person logs in.  And it is awfully easy to become a registered user.

The rest of the world is changing...  Mozilla and Bugzilla are in the stone ages of user privacy.

And, the only option...  just look at the list of usernames...  a lot of people have discovered the only option is to create special spam-filter usernames specifically for this site.

As always, I've put a high enough priority to this issue... that if given adequate site/system access I would be willing to volunteer some help towards fixing it.  Of course, it would take a little while to "get my feet wet"...  but apparently this has been a KNOWN issue for over a half a decade.
This is a RFE. Also, leave the version field alone. No reason to change it.
Severity: critical → enhancement
This bug is critical because it makes a security hole into the worlwide mail system.
I can't believe it when I filed my first comment today here in bugzilla that anyone could see my mail address before setting a user name and even after setting it every logged in user is able to see my mail address and not only my user name.

Are you bugzilla serious? So you let any spammer can make an account and collect thousands of mail addresses?

This is a huge security hole and definitely seems that you don't care at all about privacy. Fortunately I realized it straight away and changed my personal account to an account for low or ambitious security sites. I was expecting more from bugzilla and not immatures.

Now I only hope there is a secure and permanent account deletion.
Priority: P5 → P2
Fixed in Bugzilla 5.1 by bug 218917.
Assignee: user-accounts → gerv
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → Bugzilla 6.0

How is this fixed? I can still see plainly see all everyone's full email addresses on mouseover and in the code, in a mailto: link and descriptive text, six years later.

You need to log in before you can comment on or make changes to this bug.