Serious privacy flaw in Zimbra's calendars
I am posting this message to warn all Zimbra users about a serious privacy flaw that I found today. This flaw is not new, it has been reported in Zimbra's bug tracker in 2009 (cf Bug 35965 – Private events within shared calendars show the organizer name), but I am very surprised to see that only a few people cared about the bug.
Here is the flaw : I suppose that your calendar is shared with other Zimbra users. You receive an invitation ; you accept it and you mark the appointment as Private. In this case, the other users who look at your Zimbra calendar will see the appointement with a lock icon but, when they point their mouse to the appointment, they will also be able to see the name of the organiser of the event, i.e. the name of the person who sent you the invitation ! This is a serious leak of information and it makes your appointment "not so private" !
So, if you have a private appointment generated from an invitation and you don't want other users to see the name of the organiser, the only solution is to delete the appointment from your zimbra calendar !
If you think like me that it is a serious privacy flaw, please vote for the bug and try to catch the attention of Zimbra developers to fix it :
Bug 35965 – Private events within shared calendars show the organizer name
Alexis de Lattre