Fix "share by email" feature

[Jan Krohn]

Hi,

This morning I woke up to find that tens of thousands of spam emails were sent through the "share by email" feature.

The support's brilliant suggestion was to disabling that feature.

So instead of taking the responsibility to fix or remove a easily abusible feature, it's the customer's responsibility to disable it.

Bravo!

If the content that is to be shared can be removed and replaced by a spam message, then the feature is clearly broken. If this happens tens of thousands of times, and the system doesn't catch that, then the system is broken too.

[Adriano Faria]

It adds a Captcha for guests; it shouldn't accept spam, unless they're not guests.

[Jan Krohn]

I don't really care whether it was done by a guest, or a forum member, or a hacked forum member. The system should neither allow replacing the share message with a random message, nor tolerate sending of hundreds of identical messages per minute. This is very simple common sense.

[Adriano Faria]

If it's made by a member, it is like a post. He can post 1, he can post 94823498273497247923492394792374923742. That's how it works. If it's made by a guest (bot or something), than not even one as THEORETICALLY Captcha should stop them.

Anyway, you should try to provide a more smart feedback than attack the support/IPS...

Bravo to you! You will really get far this way! 😄

[Jan Krohn]

No, it's not like a post!! A post gets distributed to all users who are subscribed to that category, who can unsubscribe from such messages as they like.

The "share by email" feature on the other hand allows submission of random content to random email addresses.

I did send two very nice messages to support. If the best they can come up with is suggesting to disable the feature, I don't see how asking nicely for a third time is getting me anywhere.

(And just a hint: disabling the feature was nothing I couldn't think of myself before getting in touch with support.)

A feature that allows spamming random email addresses without giving them the option to unsubscribe violates CAN-SPAM, GDPR and probably evey other anti spam regulation in any other legislation too. And this is a feature currently provided by InvisionCommunity.

[Daniel F]

8 minutes ago, Jan Krohn said:

 

A feature that allows spamming random email addresses without giving them the option to unsubscribe violates CAN-SPAM, GDPR and probably evey other anti spam regulation in any other legislation too. And this is a feature currently provided by InvisionCommunity.

Hi,

I'm really sorry for your bad experience with this feature. We agree about your concerns here and have changed the way how this feature works for IPS 4.5.0

[Jan Krohn]

Excellent, thank you! I'm looking forward to re-enabling it.

[CoffeeCake]

@Jan Krohn, thanks for raising awareness of this potential issue. We did not realize this is how the share by e-mail functionality worked and have disabled it preemptively.

[Slimer]

Same problem - some thousands letters were send :( Have to disable this feature. Please fix it!

[desti]

Invision Community Team: 

Thousands of emails are sent without control, the site email address is recorded in spam databases and your answer is "sorry, fix in 4.5"? You 've already tired us a little bit with blue message box about the new version, why don't you warn users with a red message box about this security hole?

 

 

[z929669]

On 2/6/2020 at 6:04 AM, Adriano Faria said:

If it's made by a member, it is like a post. He can post 1, he can post 94823498273497247923492394792374923742. That's how it works. If it's made by a guest (bot or something), than not even one as THEORETICALLY Captcha should stop them.

Anyway, you should try to provide a more smart feedback than attack the support/IPS...

Bravo to you! You will really get far this way! 😄

Here's the thing though ... he is correct. One should not need to 'disable' a feature that is technically not compliant with the new world order, nor should one need to be polite about sharing the frustration of the experience described. Jan was venting in frustration, and it wound up prospectively solving the problem. Thus, indeed it was "smart feedback".

I for one am quite tired of those "in the know" replying to valid queries in an ambiguous manner and with an air of superiority to boot.

I have to agree with @Jan Krohn and @desti ^

Either fix this issue or prominently warn clients so that they can avoid legal non-compliance --and responsibility for which the 'smart' client would ultimately place onto IPS

Edited March 16, 2020 by z929669

[maddog107_merged]

Thanks for all the info in this post. We got banned from SES because of (I assume) this bug. They sent around 16k emails in an hour or so. Hopefully it will go back to normal after disabling this. 

[Lindy]

We will be releasing a patch or update soon that disables the email feature altogether. In 4.5, the email share function utilizes the sender's own mail client (mailto - for you nerdy types) and does not pass through the software. 

[opentype]

On 2/6/2020 at 12:24 PM, Jan Krohn said:

The support's brilliant suggestion was to disabling that feature.

So instead of taking the responsibility to fix or remove a easily abusible feature, it's the customer's responsibility to disable it.

To be fair to the support staff, that is exactly what the general support department is supposed to do when you contact them. They advise on the software usage and explain your options, i.e. in this case, the option to turn it off. They aren’t in a position to decide to change that feature, nor to do it themselves instantly. If anything, they can pass it along to other team members who make those decisions. So I don’t really know what you expected from them that justifies this condescending tone. 

[Stuart Silvester]

We have published a patch to change how the email sharer works, it will now open the senders email client instead of sending email via Invision Community. This patch effectively backports the functionality from 4.5.

If you're affected by this you can obtain it from AdminCP > Support > Something isn't Working > Click 'apply patch'.

[NZyan]

Two of my forums were abused by this security hole.

Since Tuesday (March 17th) 

• a spammer has sent out about 1.4 million spam mails (1,400,000)
• which results in a direct loss of about 800$ and counting (payment to Sendgrid)
• and a damaged sender reputation for my forum

Now I realize that

• you are aware of this problem for weeks
• you have a patch ready since Tuesday and
• you didn't tell your paying customers a word

We need to talk. I am not amused.

Andreas

[Dean_]

I too had this problem, over 389,000 emails... I was only notified by my host who in turn wasn’t very happy.

However we disabled this function and it has obviously fixed this issue. But, now we have to find out if our server has been blacklisted.

Edited March 21, 2020 by Dean_

[desti]

On 3/20/2020 at 11:49 PM, NZyan said:

you didn't tell your paying customers a word

I think someone was just scared to acknowledge the existence of the problem.

[NZyan]

15 hours ago, desti said:

I think someone was just scared to acknowledge the existence of the problem.

I don't think so but I have no explanation – so I expect one from IPBoard.

I appreciate IPBoard as a great software partner with great support.
In my book a good and reliable partnership includes transparency and open talk if a problem exists and damage is done.
So that's what I expect now.

Andreas

[desti]

4 hours ago, NZyan said:

so I expect one from IPBoard.

I disabled this feature long before the problem occurred, but I don't know why i'd get information about such problems from other people, not from the software developer. So my main claim is not that I suffered any losses, but that no one informed me of the problem.

[jair101]

Even though I was not affected, in my opinion this was pretty severe issue and all customers should have been informed, either via email or via the nagging upgrade red banners. It is quite possible that people are ramping up severe email bills as we speak. 

[CoffeeCake]

The lack of communication channels surrounding these "hidden" updates (only visible to a community administrator if you click "Something is wrong" in the Admin CP), which has the undesired consequence of clearing out all cached files, simply needs to be reconsidered by Invision.

[AlexWebsites]

I had a banner come up on the front end when logged in as admin which prompted me to run the support tool via ACP and update.

[Lindy]

I'm very sorry for the inconvenience, confusion and poor handling of this issue. Although this functionality has existed for quite some time, this was not identified as a widespread / abused issue until recently. When the growing concern was brought to management attention, we acted as quickly as possible. 

A red warning banner should display for anyone impacted; I apologize if it didn't for some of you initially. We have corrected the issue - pushing remote notifications to AdminCPs is not a system we use very often, so there was a kink. 

Once again, my sincerest apologies for the ball being dropped on this; it is, as you know, not typical of and we will do our best to ensure it doesn't happen again. 

 

[desti]

Your apology will not return the lost money and time.

Tell me better what will change in customer notification policy (consider, i may not open ACP for weeks).