Hello,
I've just been notified of a data confidentiality issue related to the email address included in the URL.
Some people want to share the link to a response, but it contains the email address.
The URL looks something like this: https://www.example.com/ticket.php?track=4PR-P33-L8QU&e=contact%40example.com, but it would be more appropriate to include the account ID to maintain confidentiality (e.g., https://www.example.com/ticket.php?track=4PR-P33-L8QU&e=111).
Privacy Concerns Regarding URL Links Containing Email Addresses
Moderator: mkoch227
Re: Privacy Concerns Regarding URL Links Containing Email Addresses
This happens because Hesk is set to require emails to view tickets (Admin panel > Settings > Help desk > Security > View tickets: Require email to view a ticket).
Account ID is easy to guess. You can share the link without the email address, but then the person will need to type in the email to view it
https://www.example.com/ticket.php?track=4PR-P33-L8QU
Account ID is easy to guess. You can share the link without the email address, but then the person will need to type in the email to view it
https://www.example.com/ticket.php?track=4PR-P33-L8QU
Klemen, creator of HESK and PHPJunkyardWas this helpful? You can buy me a drink here 
You should follow me on Twitter here
Help desk software | Cloud help desk | Guestbook | Link manager | Click counter | more PHP Scripts ...
Also browse for php hosting companies, read php books, find php resources and use webmaster tools
You should follow me on Twitter hereHelp desk software | Cloud help desk | Guestbook | Link manager | Click counter | more PHP Scripts ...
Also browse for php hosting companies, read php books, find php resources and use webmaster tools
Re: Privacy Concerns Regarding URL Links Containing Email Addresses
Precisely, some people need to share a link after ensuring that it doesn't contain any personal data, and if so, it would be their responsibility.
But hey, that's the logic of some of my users, which I understand, especially if it's a topic that can be shared without needing to log in with an email address (it's also complicated to associate an email address with an ID, which still ensures confidentiality).
On the one hand, if the full URL https://www.example.com/ticket.php?trac ... xample.com is disclosed and therefore functional, whereas with https://www.example.com/ticket.php?track=4PR-P33-L8QU you have to identify the email address, this doesn't make sense to me. So, having an ID instead of the email address would have exactly the same effect, except that the associated email address wouldn't be disclosed.
This is a choice made by the Hesk software, and I respect that, but I don't find it very logical since this issue was brought to my attention.
Yes and no, because an ID alone, yes, I grant you, is easy to find, but coupled with "track=4PR-P33-L8QU" it already complicates things, because you have to verify the ID and track pair.
But hey, that's the logic of some of my users, which I understand, especially if it's a topic that can be shared without needing to log in with an email address (it's also complicated to associate an email address with an ID, which still ensures confidentiality).
On the one hand, if the full URL https://www.example.com/ticket.php?trac ... xample.com is disclosed and therefore functional, whereas with https://www.example.com/ticket.php?track=4PR-P33-L8QU you have to identify the email address, this doesn't make sense to me. So, having an ID instead of the email address would have exactly the same effect, except that the associated email address wouldn't be disclosed.
This is a choice made by the Hesk software, and I respect that, but I don't find it very logical since this issue was brought to my attention.
Re: Privacy Concerns Regarding URL Links Containing Email Addresses
Why don't you disable the "Require email to view a ticket" setting? That way https://www.example.com/ticket.php?track=4PR-P33-L8QU will work without any email addresses.
Klemen, creator of HESK and PHPJunkyardWas this helpful? You can buy me a drink here
You should follow me on Twitter here
Help desk software | Cloud help desk | Guestbook | Link manager | Click counter | more PHP Scripts ...
Also browse for php hosting companies, read php books, find php resources and use webmaster tools
You should follow me on Twitter hereHelp desk software | Cloud help desk | Guestbook | Link manager | Click counter | more PHP Scripts ...
Also browse for php hosting companies, read php books, find php resources and use webmaster tools
Re: Privacy Concerns Regarding URL Links Containing Email Addresses
In fact I will use this solution which finally saw the structure "4PR-P33-L8QU", little chance of finding an exact match by chance.
Re: Privacy Concerns Regarding URL Links Containing Email Addresses
Correct, the tracking ID is very random and hard to guess. Plus, it is checked by Hesk's brute-force protection which blocks anyone who tries to guess the tracking ID and fails a couple of times.
Klemen, creator of HESK and PHPJunkyardWas this helpful? You can buy me a drink here
You should follow me on Twitter here
Help desk software | Cloud help desk | Guestbook | Link manager | Click counter | more PHP Scripts ...
Also browse for php hosting companies, read php books, find php resources and use webmaster tools
You should follow me on Twitter hereHelp desk software | Cloud help desk | Guestbook | Link manager | Click counter | more PHP Scripts ...
Also browse for php hosting companies, read php books, find php resources and use webmaster tools