Skip to content
  • Home
  • Categories
  • Recent
  • Popular
  • World
  • Top
  • Tags
  • Users
  • Groups
  • Documentation
    • Home
    • Read API
    • Write API
    • Plugin Development
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor
  • Default (No Skin)
  • No Skin
Collapse
Brand Logo
v3.10.3 Latest
Buy Hosting
  1. Home
  2. General Discussion
  3. NodeBB Email Exposure Bug - Gravatar Plugin

NodeBB Email Exposure Bug - Gravatar Plugin

Scheduled Pinned Locked Moved General Discussion
5 Posts 3 Posters 2.2k Views
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S Offline
    S Offline
    scottalanmiller Community Rep
    wrote on last edited by scottalanmiller
    #1

    http://mangolassi.it/topic/9205/mangolassi-is-leaking-everyone-s-email-address/

    Log out, and go to someone profile page. Then ctrl+f and type in "@" and you will find anyone email address.

    Emails are displayed in the pages, even when people have chosen to hidden them. Our users found this after people have started to get spam with unique email addresses only used on NodeBB. HTTPS does not help.

    1 Reply Last reply
    1
    • S Offline
      S Offline
      scottalanmiller Community Rep
      wrote on last edited by
      #2

      From what we can tell, this was the Gravatar plugin using raw emails instead of the hash to call out to gravatar.

      P 1 Reply Last reply
      1
      • sirspamalotS Offline
        sirspamalotS Offline
        sirspamalot
        wrote on last edited by
        #3

        @scottalanmiller that not good 😞

        1 Reply Last reply
        0
        • P Offline
          P Offline
          pichalite Plugin & Theme Dev
          replied to scottalanmiller on last edited by
          #4

          @scottalanmiller sent a PR to the gravatar plugin repository to fix the issue. not sure when it's going to be merged and published.

          you can disable the "Force users to use gravatar" option in the plugins ACP page or manually apply the fix from the PR in the meantime to fix the issue on your setup.

          https://github.com/julianlam/nodebb-plugin-gravatar/pull/8

          sirspamalotS 1 Reply Last reply
          1
          • sirspamalotS Offline
            sirspamalotS Offline
            sirspamalot
            replied to pichalite on last edited by
            #5

            @pichalite Thank you! 🙂

            1 Reply Last reply
            0

            Copyright © 2024 NodeBB | Contributors
            • Login
            • Don't have an account? Register
            • Login or register to search.
            Powered by NodeBB Contributors
            • First post
              Last post
            0
            • Home
            • Categories
            • Recent
            • Popular
            • World
            • Top
            • Tags
            • Users
            • Groups
            • Documentation
              • Home
              • Read API
              • Write API
              • Plugin Development