Personal Messages showing up on Google search

ragrossman · April 22, 2010, 07:58:17 PM

I have run a Simple Machines forum for over 4 years. One of my long time participants said that she did a Google search of a topic on the forum, and Google returned a link that included many Personal Messages that had been sent to me (the Moderator of the forum). My forum is very basic, with few Mods, and my "inbox" has been made available to no one but myself. Can someone explain how this happened, and what I can do to stop this in the future? This is a very serious breach of confidential information. The URL of the site that was included in the Google search ended in: ;wap2

I am currently running version 1.1.11

Thank you!

Adish - (F.L.A.M.E.R) · April 22, 2010, 08:09:33 PM

You might get better support in the 1.x support board, do you want it moved there?

Additionally, you might want to have it moved to bug reports and I am pretty sure that this issue will hit top priority as this is something very serious.

Few questions:
- What are the mods installed?
- If you remove the ;wap2 what shows up? A topic or personal messages of a user.
- What is the path (index.php?action......)
- have you checked the guests permission settings for pm's,?

Antechinus · April 22, 2010, 08:12:11 PM

Have you still got a link to that search page, or the url that was used? Not that I want you to post them publicly but they could be useful in diagnosing the problem.

You can file a private security report if you want to: http://www.simplemachines.org/about/security.php

flapjack · April 22, 2010, 08:20:49 PM

if you feel like it, please feel free to send me the link to the search via PM, I will investigate it

Kindred · April 22, 2010, 08:23:23 PM

without some backup documentation/information, I am not certain that I believe this.

I do not mean the slight the OP, but I have never heard of such a thing and can not even begin to imagine how google would have "seen" the PMs, since one user can not see another's PMs, even the admin can't do that.

I am moving this to bug reports, but we need more information.

flapjack · April 22, 2010, 08:25:39 PM

one thing that popped into my mind, was that those PMs were partially quoted somewhere

ragrossman · April 22, 2010, 08:58:04 PM

Hi,

I sent a PM to Kindred--so I will wait to hear back from him/her before I post again. Thanks...

Antechinus · April 22, 2010, 10:53:00 PM

Quote from: flapjack on April 22, 2010, 08:25:39 PM
one thing that popped into my mind, was that those PMs were partially quoted somewhere

That occurred to me too, but it's worth looking into just to be sure.

Kindred · April 22, 2010, 11:39:35 PM

I am working with the user to try and track the issue

Orstio · April 22, 2010, 11:48:22 PM

Certainly, if this were true, this search would yield more than zero results:

http://www.google.com/search?q=%22index.php%3Faction%3Dpm%23msg%22&hl=en&safe=off&gbv=2&sa=2

Kindred · April 23, 2010, 01:42:01 AM

I have been talking with the user directly. I am not quite ready to close this, but it certainly looks as if the user was actually logged in (with a forever cookie) and just did not realize that she was logged in when she could see the PMs

Kindred · April 23, 2010, 01:34:39 PM

After speaking with the user, I have determined the source of her confusion.

She somehow found the MOBILE version (WAP) listed on Google and thought it was a different site that had somehow copied all of the content from the actual site. Since she was logged into the site, when she went to the mobile version, she was able to see her PM inbox and all of the board messages.

Marked as a "non-bug, user misunderstanding"

ragrossman · April 25, 2010, 11:13:39 AM

Thanks, Kindred, for all of your help! It was much appreciated...

R.

News:

Personal Messages showing up on Google search

Orstio