|
|
|
|
|
|
by sugerman
4453 days ago
|
|
|
I don't think schofield's response was great, but he certainly didn't pretend the submitter was making something up, he just didn't think the information exposed is sensitive. Realistically this isn't a bug in the software, it's an issue with the design of the invitation feature from a legal/UX standpoint. Either the user sending the information should be aware the information is not private and/or the invitations should expire at some point. |
|
|
Edit: expiration would limit the scope of data leakage, and should also be looked into, but expiration without access controls still allows patient attackers to collect all of the data being generated and store it for future use.