We have received a comment from a user suggesting that private entries could be read by simply clicking view/source on the page.
I have tested this just now to verify this claim and I cannot make it happen.
If you have any further information as to what you are doing to be able to read private entries then please let us know so that we can fix it.
In future, if any one becomes aware of a security problem we would very much appreciate being given the opportunity to fix it prior to it going public. Don’t get us wrong, we’ll admit to it, but it’s much better to tell the horses that the stable door was open than to say “hey guys! its open!”. Respect the privacy and security of the others on this system please.
We’re always up front and honest with everyone, it’s one of our core beliefs. If we screw up, we tell you. AFTER we have fixed the problem.
If you have any future issues with the system the appropriate address is firstname.lastname@example.org as this will be private. A comment added to the news diary is a highly public place to leave security vulnerability information. *sigh*.
Still, thanks for the heads-up, even if it wasn’t quite in the right manner.
If anyone has any information to help prove and then isolate the flaw we’d appreciate it, so far though we can’t find a way to read private entries. We can’t even find a way to see there is a private entry in the first place.