- This topic has 12 replies, 3 contibutors, and was last updated 9 years, 9 months ago by
.
Question
We have a spammer who was banned who loves to harass members on my community. Somehow he is getting user’s email addresses. He has no access to anything but the frontend.. I have been racking my brain as to how he could get a user’s email address.. any ideas?
Thank you.
Answers
@george123 if users use the same username on other sites with public emails that would be easy to do and I have done in the past 🙂
@george123 I’m not sure of any other way, I found a couple that were actually posted on your site so that could be another way.
Strange. A new member emailed me to remove their account because a spammer emailed them. New member, so it’s strange.
@george123 you may want to request support from BuddyPress.
If your using BBpress as a forum it may be that. I noticed after the last update it now sends forum subscribed thread notifications as BCCs vs individual emails, only problem is it doesn’t seem to be hidden, at least when it is sent from my site. Could be a WordPress thing or a server setting but everyone subscribed to the threads can see everyone else’s email addresses.
@raytronx that is a HUGE security flaw in bbPress, hopefully there is a fix. Yikes, thanks for the info.
That’s unbelievable if true.. it would literally be the worst security flaw i’ve personally seen.
I tried posting 4 times in the bbpress trac and on the bbpress forum and my posts do not show up at all. I tried posting from 2 computers and my cell phone. Maybe they have some sort of post queue?
@admin @tjchester @raytronx Would any of you mind posting this on bbpress trac or on their forum?This has to be a big concern for most buddyboss users.
I got in touch with John from Buddypress..
bbPress did switch to BCC’s for bulk emails of notifications to topic replies in 2.4, but this is first I’ve heard of any user data being exposed to unauthorized users.
Any security issue is a serious one, and is worth investigating and immediately resolving if confirmed.
I’m unable to double-check this for the next 24 hours, but will do so at my earliest available moment (if no one else does so and replies here first.)
Thanks for letting us know, and I will be back in touch as soon as I have more information.
I will post updates here.
It’s been reported a few times in the BBpress forums but no answers.
https://bbpress.org/forums/topic/bcc-field-in-notifications-is-visible-to-users/
https://bbpress.org/forums/topic/cc-instead-of-bcc-in-notification-emails/
Maybe it is just certain server setups. I know myself and another person on Siteground have the issue. Siteground support told us it is WordPress or plugin related.
@tjchester
It looks like my issue with the BCCs is being caused by the wpMandrill plugin I use to send emails through the Mandrill serviceThe Mandrill API previously couldn’t deal with BCC emails, it has been updated but it’s WP plugin hasn’t.
I tried this code offered by a user but it ended up sending two emails. One with no BCCs showing and one with the same BCCs showing problem. https://wordpress.org/support/topic/how-to-contribute-fixed-bcc
- The question ‘Spammer somehow getting user email addresses’ is closed to new replies.