Post

2 followers Follow
0
Avatar

Security Hole in Private Discussion Group

In a private discussion group should always be private, in that one can only  @mention members of the group. If one @mentions a non-member, Clarizen should generate an error message and prevent the post, which is does.

However, you can bypass this restriction by simply creating a group (say Bogus-Group) of one person and @Bogus-Group and Clarizen does not prevent that post from continuing.   This is inconsistent behavior at best and a way to bypass the "Private" nature of the group, i.e. a security hole. 

e.g. a bad scenario of this security hole would be an executive sharing financial info with the company or individual outside the private group because the "Privacy" business rule was not enforced.   

A warning is not even provided that one is about to post a message outside of the group membership. 

This is a work-as-designed feature that seems inconsistent at best, and a security hole at worst.

This was temporarily considered a bug but is not considered a feature request: https://success.clarizen.com/hc/en-us/requests/28773

Louie Viriato Not planned

Please sign in to leave a comment.

1 comment

0
Avatar

Security and privacy in discussion is very limited and not complete in my eyes. My organization rejected the use of this feature just because of that and I've since removed it from everyone's profile. Same goes for reports as to which users you see when running reports (it depends on the permission setting - but it's very lacking in functionality). Hopefully this will be fixed.

Guy 0 votes
Comment actions Permalink