bentivogli found out about a serious privacy issue in the CouchSurfing system. He reported it on August 10th. Apparently anyone on the internet can see who is interested in who on CS. And password resets. Here’s an (anonymized) excerpt:
* D did interesting_user to D (20070816070640)
* P did interesting_user to I (20070816070517)
* G did interesting_user to G (20070816070453)
* S did interesting_user to E (20070816070117)
* c did interesting_user to c (20070816070104)
* B did password reset to B (20070816065925)
* M did interesting_user to T (20070816065628)
* M did interesting_user to L (20070816065410)
* T did interesting_user to COUCHSURFING SYSTEM (20070816065307)
(Note that people find themselves very interesting.)
The CouchSurfing volunteer coordinator (2000 US$/month), who should be able to fix this in 10 minutes, respond on August 15th:
Basically, I’d need to do what you should have done and go post it myself in the bug tracker. That’s not really efficient for anyone. Also, since only one other person has bothered on discussing this it’s not likely to be changed. I’d suggest to wait and see if anyone else supports this idea and go from there. I don’t personally see a problem with it, myself.
I’m sure that the CS VC doesn’t see a problem, since he can read the messages of all CouchSurfers, so he’s not very used to people fathoming their privacy. But I’m sure his attitude will lead to herds of new volunteers posting stuff in the bug tracker, or removing spam on the CouchSurfing wiki. Yay for efficiency for anyone!
Recent Comments