Closed Bug 520870 Opened 12 years ago Closed 12 years ago

Email addresses on profiles should not be visible to logged out users


(Participation Infrastructure :: Phonebook, defect)

Windows XP
Not set


(Not tracked)



(Reporter: TMZ, Unassigned)


Just search for a user and you can view there email addresses even if you are not logged in.

I would of thought email addresses should only be available to logged in members.
Summary: Email addresses on profiles should not be available to logged out users → Email addresses on profiles should not be visible to logged out users
The way this is set up is that a user can control whether or not each field on their user profile is viewable to "Everyone" or "No one".  This seems like you are saying there needs to be another privacy permission to allow fields to be visible to users registered on the site, but hidden to anonymous users?  This would be a change request, so Jay please let me know if you want this.
Rebecca:  Actually, this is the one bug that is critical and it is not out of scope.  I have made it clear that we should not display anything other than Name, Location, and maybe Occupation and Organization to non-authenticated users.  Maybe this got lost somewhere between Dan, Riche, Alonza, and you... but the privacy settings in the public profile are for registered and authenticated users of the site.

We do not want anyone in the world to come to and have access to identifiable info like email addresses and aim usernames.  Can you image what a field day spammers will have harvesting the website?  This is one thing I don't think should be a change request... so I hope you will be able to fix this.
You are right, we will take care of this.
I have to take back my last comment.

I had a chance to talk to Marc about implementing this - the privacy of certain fields to anonymous users.  I thought this would be a quick fix, but Marc indicated it is not.  He said that until now, he always thought that everyone was everyone, not just authenticated users.  He is clear that this was not in the original requirements because that definitely would have impacted other decisions we made throughout the process.  His main concerns lie in knock-on implications for other pages, which requires additional hours to work out and test.
Rebecca:  There has been an obvious miscommunication between project managers and developers (Marc) about this.  I made it very clear to both Dan and Riche when we were working out the architecture.  You can see the rough breakdown in this doc:

Which has been on your wiki for months... and no one has asked me for clarification, so I assumed Trellon understood the basic needs and correct way to implement.  I have always logged in to the site, so I missed this... but it is clearly a major issue for our users' privacy.
Severity: normal → major
I agree that this is a major issue, but just requiring a user to be logged in to view email addresses isn't really adequate protection if any logged in user can harvest email addresses for the entire site.  A related problem is email addresses are displayed for new users by default (as a new user, I didn't even notice the "hide email address" checkbox which is *unchecked* by default, and even if I had I wouldn't have thought that it meant that my email address would be published in plain text in a profile page).  Should a new bug be created for that issue?  I would even suggest that all existing users should be reset to having their email addresses hidden. And in any case email addresses should only be displayed as an image, not plain text.
I will look into making the email addresses hidden by default.  I think we can do that from the admin interface.

I also believe Trellon installed a module to help protect users from crawlers... but the email will still be visible to the users.  This project has dragged on so long since this bug was discussed, QA will need to find out if that is actually the case.

If not, we can contact Trellon for an update.
Trellon said that after discussing this a month ago, we decided that authenticated users can see the email addresses, so there is not need to hide the strings.

I still think that is not enough security, so let's keep this open and we can look for a good solution to protect our users better soon.
Just to be clear... a visitor to the site that is not logged in as an authenticated user should not see the email address when looking at user profiles. 

If someone does see that info... please confirm.  Because that *would* be a blocker.
I think Milos filed a new but to convert email text (even for authenticated users) into images... so I am going to mark this fixed.

I do not see anyone's email address when I am simply a visitor and looking through user profiles.
Closed: 12 years ago
Resolution: --- → FIXED
Verified on
Component: → Phonebook
Product: Websites → Community Tools
QA Contact: mozillians-org → phonebook
Version: unspecified → other
You need to log in before you can comment on or make changes to this bug.