Results 1 to 5 of 5

Thread: Serious privacy flaw in Zimbra's calendars

  1. #1
    sixela is offline New Member
    Join Date
    Nov 2012
    Posts
    3
    Rep Power
    2

    Exclamation Serious privacy flaw in Zimbra's calendars

    I am posting this message to warn all Zimbra users about a serious privacy flaw that I found today. This flaw is not new, it has been reported in Zimbra's bug tracker in 2009 (cf Bug 35965 – Private events within shared calendars show the organizer name), but I am very surprised to see that only a few people cared about the bug.

    Here is the flaw : I suppose that your calendar is shared with other Zimbra users. You receive an invitation ; you accept it and you mark the appointment as Private. In this case, the other users who look at your Zimbra calendar will see the appointement with a lock icon but, when they point their mouse to the appointment, they will also be able to see the name of the organiser of the event, i.e. the name of the person who sent you the invitation ! This is a serious leak of information and it makes your appointment "not so private" !

    So, if you have a private appointment generated from an invitation and you don't want other users to see the name of the organiser, the only solution is to delete the appointment from your zimbra calendar !

    If you think like me that it is a serious privacy flaw, please vote for the bug and try to catch the attention of Zimbra developers to fix it :
    Bug 35965 – Private events within shared calendars show the organizer name

    Alexis de Lattre

  2. #2
    jhon is offline Active Member
    Join Date
    Sep 2012
    Location
    jhoncarter2030@gmail.com
    Posts
    34
    Rep Power
    2

    Default

    Hi
    Which Zimbra version are you using ?

  3. #3
    sixela is offline New Member
    Join Date
    Nov 2012
    Posts
    3
    Rep Power
    2

    Default

    Quote Originally Posted by jhon View Post
    Which Zimbra version are you using ?
    I am using Zimbra version 7.1.3_GA_3346. By the way, there has been some activity on the bug report n°35965 a few days ago with some code changes related to the bug report. But the statuts of the bug is still "assigned", the developer didn't change it, cf Bug 35965 – Private events within shared calendars show the organizer name

    Alexis

  4. #4
    liverpoolfcfan's Avatar
    liverpoolfcfan is offline Outstanding Member
    Join Date
    Oct 2009
    Location
    Dublin, IRELAND
    Posts
    698
    Rep Power
    6

    Default

    Also says target release is Judas Priest - which will be zimbra 9.0 I would assume. If you want a quicker fix - you should add comments to that effect in the bug report comments.

  5. #5
    sixela is offline New Member
    Join Date
    Nov 2012
    Posts
    3
    Rep Power
    2

    Default

    Quote Originally Posted by liverpoolfcfan View Post
    Also says target release is Judas Priest - which will be zimbra 9.0 I would assume. If you want a quicker fix - you should add comments to that effect in the bug report comments.
    Thanks for your remark, I didn't spot this. Of course, I would love to have a quicker fix because I think this privacy issue is important ! But I am very surprised to see that it is a very old issue and that nobody really cared until recently...

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. How to get all Zimbra's Calendars names using REST API
    By taichimaro in forum Developers
    Replies: 0
    Last Post: 06-22-2011, 06:50 AM
  2. mySql is the fatal flaw of zimbra
    By pcatiprodotnet in forum Installation
    Replies: 9
    Last Post: 06-05-2010, 09:20 AM
  3. [SOLVED] Serious security flaw found in IE
    By padraig in forum Administrators
    Replies: 0
    Last Post: 12-16-2008, 08:10 AM
  4. Privacy
    By emmaylots in forum Administrators
    Replies: 0
    Last Post: 10-15-2008, 04:57 AM
  5. Anonymous access to LDAP server? security flaw?
    By gsilver in forum Administrators
    Replies: 7
    Last Post: 12-20-2007, 06:52 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •