Date   

moderated Re: Changing email address security issue #misc

 

Exactly, what Peter says. it’s risk vs benefit. Huge risk, negligible benefit. Not to mention: the opportunity cost of implementing more worthwhile things.


On Feb 3, 2021, at 10:32 AM, Peter Cook <peterscottcook@...> wrote:

On Wed, Feb 3, 2021 at 01:22 PM, J_Catlady wrote:
Suppose I don’t like somebody in my group and I want access to all their subscriptions to do bad things. All I’d have to go is change the email address of their whole account.
I agree with J - I just don't think the risk outweighs the benefit to the users. Maybe I'm missing some key point about the value of this capability?

Pete

--
J

Messages are the sole opinion of the author, especially the fishy ones.
My humanity is bound up in yours, for we can only be human together. - Desmond Tutu


moderated Re: Changing email address security issue #misc

 

I agree that Shal’s idea takes us in the right direction. But still not far enough. I’d get rid of it entirely.


On Feb 3, 2021, at 10:29 AM, Shal Farley <shals2nd@...> wrote:


Mark,


Should I make other changes? Should the change only affect that one subscription? That is, if someone is subscribed to 2 groups, and the moderator of one of those groups changes that person's email address, should I then create a new Groups.io account, splitting off that one subscription?

I would disable the ability to change the address if the member is even a member of any other groups. That's because the other groups may have sensitive information in their content to which the baddie should not gain access.

Or, make it apply to this group only. But that will be fraught with details when the new address is already an account or an alias of an account. It may be worth delving into those details if it heads us in the direction of making it possible for the member to split their account, and/or move subscriptions between accounts (having somehow authenticated ownership of both).

Shal

--
J

Messages are the sole opinion of the author, especially the fishy ones.
My humanity is bound up in yours, for we can only be human together. - Desmond Tutu


moderated Re: Changing email address security issue #misc

Peter Cook
 

On Wed, Feb 3, 2021 at 01:22 PM, J_Catlady wrote:
Suppose I don’t like somebody in my group and I want access to all their subscriptions to do bad things. All I’d have to go is change the email address of their whole account.
I agree with J - I just don't think the risk outweighs the benefit to the users. Maybe I'm missing some key point about the value of this capability?

Pete


moderated Re: Changing email address security issue #misc

 

Mark,


Should I make other changes? Should the change only affect that one subscription? That is, if someone is subscribed to 2 groups, and the moderator of one of those groups changes that person's email address, should I then create a new Groups.io account, splitting off that one subscription?

I would disable the ability to change the address if the member is even a member of any other groups. That's because the other groups may have sensitive information in their content to which the baddie should not gain access.

Or, make it apply to this group only. But that will be fraught with details when the new address is already an account or an alias of an account. It may be worth delving into those details if it heads us in the direction of making it possible for the member to split their account, and/or move subscriptions between accounts (having somehow authenticated ownership of both).

Shal


moderated Re: Changing email address security issue #misc

 

Actually since your fix, they can’t do it to me. So I csn see this leading to people artificially making themselves group owners in order to benefit from the enhanced security protection .   


On Feb 3, 2021, at 10:22 AM, J_Catlady via groups.io <j.olivia.catlady@...> wrote:

This is a really good observation and I think the security risk applies not just to mods of groups. Suppose I don’t like somebody in my group and I want access to all their subscriptions to do bad things. All I’d have to go is change the email address of their whole account.

I’ve always felt queasy about the ability of a group owner to change the account address of anyone at all. That piece of data belongs at a higher level than the individual group. 

As a member of several premium groups, I’m wondering now whether group owners might do this to me. Prior to this I’d only thought about it as a group owner. I’d push for eliminating this ability entirely.


On Feb 3, 2021, at 8:55 AM, Mark Fletcher <markf@corp.groups.io> wrote:



Hi All,

Premium group owners have the ability to change the email addresses of their members. The email address is changed on the member's Groups.io account, so affects all their subscriptions. As was pointed out to me privately, this presents a security issue. If a member is an owner of another group, this feature provides the ability for a nefarious group owner to take over that other group, by changing the email address of the member to a new email address controlled by the baddie.

I have changed the feature so that you cannot change the email address of a member who is a moderator or owner of a group.

Should I make other changes? Should the change only affect that one subscription? That is, if someone is subscribed to 2 groups, and the moderator of one of those groups changes that person's email address, should I then create a new Groups.io account, splitting off that one subscription?

Thanks,
Mark


--
J

Messages are the sole opinion of the author, especially the fishy ones.
My humanity is bound up in yours, for we can only be human together. - Desmond Tutu


--
J

Messages are the sole opinion of the author, especially the fishy ones.
My humanity is bound up in yours, for we can only be human together. - Desmond Tutu


moderated Re: Changing email address security issue #misc

 

This is a really good observation and I think the security risk applies not just to mods of groups. Suppose I don’t like somebody in my group and I want access to all their subscriptions to do bad things. All I’d have to go is change the email address of their whole account.

I’ve always felt queasy about the ability of a group owner to change the account address of anyone at all. That piece of data belongs at a higher level than the individual group. 

As a member of several premium groups, I’m wondering now whether group owners might do this to me. Prior to this I’d only thought about it as a group owner. I’d push for eliminating this ability entirely.


On Feb 3, 2021, at 8:55 AM, Mark Fletcher <markf@corp.groups.io> wrote:



Hi All,

Premium group owners have the ability to change the email addresses of their members. The email address is changed on the member's Groups.io account, so affects all their subscriptions. As was pointed out to me privately, this presents a security issue. If a member is an owner of another group, this feature provides the ability for a nefarious group owner to take over that other group, by changing the email address of the member to a new email address controlled by the baddie.

I have changed the feature so that you cannot change the email address of a member who is a moderator or owner of a group.

Should I make other changes? Should the change only affect that one subscription? That is, if someone is subscribed to 2 groups, and the moderator of one of those groups changes that person's email address, should I then create a new Groups.io account, splitting off that one subscription?

Thanks,
Mark


--
J

Messages are the sole opinion of the author, especially the fishy ones.
My humanity is bound up in yours, for we can only be human together. - Desmond Tutu


moderated Re: Changing email address security issue #misc

Bruce Bowman
 

On Wed, Feb 3, 2021 at 11:55 AM, Mark Fletcher wrote:

I have changed the feature so that you cannot change the email address of a member who is a moderator or owner of a group.

Mark -- Thanks. This has bothered me for awhile now.

Should I make other changes? Should the change only affect that one subscription? That is, if someone is subscribed to 2 groups, and the moderator of one of those groups changes that person's email address, should I then create a new Groups.io account, splitting off that one subscription?

Correct me if I'm mistaken, but I think the most common scenario behind the existing feature is when someone simply gets a new email address, leaving the old one inactive. In such a case, the current behavior -- having the change occur account-wide -- strikes me desirable. 

If the account was to be split into two, it raises the question of how to subsequently merge them...especially if the previous address is no longer accessible. Generally, it seems to me that if an account holder is struggling to change his own address, he isn't going to be any more adept at merging them.

A third option (which probably won't be popular but I'd like to throw out for consideration) is the elimination of this feature altogether. As group Owners, we cannot edit a subscriber's profile, but we can change their login credentials? That combo has never quite added up to me. 

Regards,
Bruce


moderated Add DisplayName in the "joined" notification #suggestion

 

Hi Mark,

It can be useful in certain situations if DisplayName is added in the mod joined notification text, i.e.

This is to notify you that DisplayName ...@... has joined your group...
or alternatively,
This is to notify you that ...@... (DisplayName) or [DisplayName] has joined your group...
Even without the bracketing it would help catch if someone (user or mod) forgot to add a DisplayName on the profile (when this is a group policy), and especially when working with a multi-mod group in such group.

Thanks and Cheers,
Christos


moderated Re: Changing email address security issue #misc

Andy Wedge
 

On Wed, Feb 3, 2021 at 04:55 PM, Mark Fletcher wrote:

I have changed the feature so that you cannot change the email address of a member who is a moderator or owner of a group.

Is that an owner or mod of a main group only or does it include mods of subgroups which may be just members in a main group?

Should I make other changes? Should the change only affect that one subscription? That is, if someone is subscribed to 2 groups, and the moderator of one of those groups changes that person's email address, should I then create a new Groups.io account, splitting off that one subscription?

Along with the power to change someone's email address come the responsibility to use it wisely. I always get confirmation from the member in question that they understand that a change to their account address impacts all groups they are subscribed to.  Unless I get that confirmation, I don't make the change.  It can be lot less time and effort being able to make the change on behalf of someone than it is to recover the situation after their failed attempts.  It accounts are split based upon subscription I think that will generate confusion for some older members who will login with the wrong account for the group they want to interact with and wonder why they cannot access it.  Those are frequent questions on GMF.

Regards
Andy


moderated Re: Add the User Name in the "joined" notification #suggestion

 

Oh, you're right Andy, thanks for pointing that out!  I guess I'll create a new corrected submission.

Cheers,
Christos




moderated Re: Changing email address security issue #misc

Duane
 

On Wed, Feb 3, 2021 at 10:55 AM, Mark Fletcher wrote:
Should the change only affect that one subscription? That is, if someone is subscribed to 2 groups, and the moderator of one of those groups changes that person's email address, should I then create a new Groups.io account, splitting off that one subscription?
If you continue to allow email addresses to be changed, then I'd certainly prefer that it only effect one group.

Duane


moderated Re: Changing email address security issue #misc

Peter Cook
 

Mark, I think I've said this in the past so I may be repeating myself.

I do not think I should have the ability to change anyone else's email address globally, if at all. I consider it just too much of a security risk. Members can do it themselves quite easily (I've provided folks with instructions a number of times). If they can't do it because they no longer have access to an email account, that's their issue to fix, not mine.

$.02,
Pete


moderated Changing email address security issue #misc

 

Hi All,

Premium group owners have the ability to change the email addresses of their members. The email address is changed on the member's Groups.io account, so affects all their subscriptions. As was pointed out to me privately, this presents a security issue. If a member is an owner of another group, this feature provides the ability for a nefarious group owner to take over that other group, by changing the email address of the member to a new email address controlled by the baddie.

I have changed the feature so that you cannot change the email address of a member who is a moderator or owner of a group.

Should I make other changes? Should the change only affect that one subscription? That is, if someone is subscribed to 2 groups, and the moderator of one of those groups changes that person's email address, should I then create a new Groups.io account, splitting off that one subscription?

Thanks,
Mark


moderated Re: Add the User Name in the "joined" notification #suggestion

Andy Wedge
 

On Wed, Feb 3, 2021 at 05:45 AM, Christos G. Psarras wrote:
Even without the parentheses it would help catch if someone forgot to add a username on their profile, especially when working with a multi-mod group.
Do you mean Display Name given that the username field on a profile is not currently used by Groups.io?

Andy


moderated Add the User Name in the "joined" notification #suggestion

 

Hi Mark,

It can be useful, if you add the user name as well in the mod notification text:

This is to notify you that UserName ...@... has joined your group...
or alternatively
This is to notify you that ...@... (UserName) has joined your group...
Even without the parentheses it would help catch if someone forgot to add a username on their profile, especially when working with a multi-mod group.

Thanks and Cheers,
Christos


moderated Re: Disallow concurrent "special notices" and "following only" #suggestion #bug

 

>>> setting these options in a different place.

Oh, I found another two admin spots that also set sub settings:

- When the mod clicks on the member's name on the member list and get their sub settings (among others).  If the sub part of that page is shared, when the "user" sub settings screen is done, it would take care of this too.

- Default Sub Settings. That one renders differently because of the isolated and collapsible AdvancedPrefs panel and needing to combine the settings into a single panel (Mark had already partially-done(started?) what we're currently suggesting, lol!) 
The same re-arranging treatment or shared include would be needed there.

Cheers,
Christos


moderated Re: Clarify Photo Album Owner Name #suggestion

Bruce Bowman
 

On Tue, Feb 2, 2021 at 04:19 PM, Andy Wedge wrote:
I shouldn't need to load effectively dummy images when the album was created to contain member photos.
A single black pixel will work. Try the attached "photo" (119 bytes).

Regards,
Bruce


moderated Re: Non - Member Posts #suggestion

 

Mark,

Thanks for taking care of suggestion 1.

>>> What if a message is sent by a non member, and then later that person becomes a member? Does the badge stay on the message when viewing the website? And vice-versa, if a member sends a message and then leaves the group, should a badge be displayed then?

Here's one way it could be accomplished, UI part first.

We can use that unused area between the name and date.  It could be something like this for a Non-Member message:

NonMember_UI_NM.jpg

It would stay there indefinitely unless that user becomes a member, in which case it would go away.

(Or possibly change it to a new badge, something like NEW or NeM "New Member", aptly colored and timed so it goes away after some time has passed since the user joined.  This would now becomes a "new group member" badge as other online forums use, the ones offering group status/standing badges and such; after some time, or maybe number of posts, it goes away)
NonMember_UI_NEW.jpg

If they leave, we display now something like XM, "Ex Member", "permanently"; that would help identify to readers messages posts from ex-members:

NonMember_UI_XM.jpg
- If that user sends-in a NM message to the group and it gets approved, it would be shown with both Non- and Ex-member badges.

- If that user comes back, the Approve-member process would check to see if they have been a member before, in which case the normal "new user" designation would not be applied on their posts or displayed; technically they are a "new" member, but we wouldn't want their previous posts being shown with NEW next to them for a while, they just rejoined, like they never left.

This visual scheme could also be replicated in other areas like Files and Photos so it takes care of orphaned display issues.

If admins start complaining that the message looks like an xmas tree or something, a badge-display on/off checkbox can be added in group settings.

The nice long-term potential benefit of using the badges like that in the UI, is that if in the future it is decided to actually offer this type of membership status/standing badges (new user, experienced user, prolific poster, contributor, whatever), the infrastructure will already be there.  It could potentially even be extended to allow the mod to set that badge as a "functionality" badge, i.e. Chairman, Secretary, Officer, Treasurer, etc, so one could visually see in topic-expanded view who is what and how their message relates to their function.

If something like this is implemented, the NonMember badge, & possibly the ExMember as well, would be available to all groups, but all the extensibility stuff I mentioned could be paid-only groups, or paid upgrade feature.


Regarding the email part:

- Flag the mod's pending message notification: "A message was sent .... from non-member ...@... that needs to be approved.", bolded so it stands out.

(It could also be further tweaked to where it will alert the less-experienced mod whether a user is in both pending-member and pending-message queues:  "A message was sent .... from (pending) non-member ...@... that needs to be approved."  The same check could then be also added in the pending member notification email as well: "...@... (having pending messages) applied to join your group Practice-NEW@groups.io.  Or something like that)


As for identifying somehow in the email sent out that it was from a non-member, using a hashtag to indicate this could work, as it would be readily visible, and would also allow someone to view only non-member posts by clicking on the hashtag; but on the other hand, we are "modifying" the subject, and it would also require that hashtag to be actively (manually or automatically by code) deleted (or changed) from the archive by someone, so it would require more admin or implementation work, plus then you'd have the problem of someone replying to the original #nonmember tagged email, causing more headache...

Instead, we could identify the NM message by using the footers, something like this maybe:

------------------------------------------
View/Reply Online ... | Reply To Group | Reply To Sender | Follow This Topic | New Topic| .....
Your Subscription | Contact Group Owner | Unsubscribe [...@...]
Note: This message was sent to the group by a non-member.   (bolded or not)
------------------------------------------

Besides it being out of the way but still spottable, it also "replicates" the UI NM badge that goes away since that snippet would also go away after the person gets approved.  And also as in the UI equivalent, that line could also now serve for this "emailed badge(s)" functionality from now on, so it still replicates the UI, albeit not retroactively as the UI does, the snippet in the email case also can serve as a "historical" badge.

Finally, a mission creep statement: If we were to implement this and start showing the NM badge right now on the UI, it may be beneficial to also roll-in displaying the Mod or Owner (or Admin for both) badges like other forums do.

Cheers,
Christos


moderated Re: Wrong error/bounce message when member tries to reply to a topic with a "tag only moderators can use" #bug

 

Hello,

On Sat, Jan 30, 2021 at 9:24 AM Bruce Bowman <bruce.bowman@...> wrote:

So it does...eventually...tell you why the failure occurred. The main problem is that the failure is not 500-level, so your provider (and mine) keeps trying to deliver the message.

This should be fixed now.

Thanks,
Mark 


moderated Re: Clarify Photo Album Owner Name #suggestion

Duane
 

On Tue, Feb 2, 2021 at 02:40 PM, Andy Wedge wrote:
Can we clarify that the name given is the album owner, not necessarily the person in the picture
I think the easiest would be to prepend "Album by" to the name, but that may create a situation in albums set to Group Access where anyone can add photos.  Maybe "Photo by" would be better and use the owner of the photo shown, not the person that created the album.

Duane

1681 - 1700 of 29729