Community mailing list archives

community@mail.odoo.com

Re: MAJOR SECURITY PROBLEM! PRIVACY VIOLATED!

by
SISalp
- 11/11/2015 12:15:18
Also check a no-phone-home module which disables hidden data
transmissions to Odoo.

As a general rule, Odoo considers up-selling to your customers is
their right, as it was explained at Odoo experience days. If you are
an official reseller, there is little you can do about it, iiuc.
regards

2015-11-11 18:06 GMT+01:00 Luke Branch <odoocommunitywidgets@gmail.com>:
> Andreas,
>
> I think you need to read up about the oAuth settings.
>
> The default oAuth provider in Odoo is Odoo, you can add others (Google,etc),
> however just read on the forums about how to change the setting before
> jumping to conclusions like that.
>
> The problem here is your configuration.
>
> See this post for an easy fix:
>
> https://www.odoo.com/forum/help-1/question/remove-login-with-odoo-com-from-website-from-yourwebsite-web-login-instructions-74722
>
> Sent from my iPhone
>
> On 12 Nov 2015, at 12:42 AM, Andreas Becker <andi@lisandi.com> wrote:
>
> We were just shoked that when you create a new customer and you change the
> password of that customer you will receive a link which shows you page URL
> but finally it gets REDIRECTED to ODOO>COM
>
> W H A T  I S  T H A T???
>
> This is incredible! This is worse than NSA as customers never know what will
> happen with their data. Additional it is violating EU privacy laws.
>
> It is complete ununderstandable why customers which have been created
> completely new on a local server!!! get a link to reset their password which
> directs them to odoo.com
>
> Why is ODOO.COM collecting customer data from customers which are not even
> their customers?
>
> Fabien I want a very clear and understandable answer for this behaviour as
> it is not tolerable!
>
> In a new ODOO setup where we have loaded a database which have been created
> on a digital ocean server and than been moved to another dedicated server
> suddenly after we created a new user this user gets redirected to ODOO.COM
> and this even without our knowledge as the link does not show anything from
> odoo.com - it shows actually the domain name of the site installation.
>
> I recommend that others verify that this is happening. IMHO such a thing
> should never at all happen in a software like this where people have to
> TRUST that their data is secured. If things like this happen it looks like
> ODOO could also be connected directly with NSA and other Secret services to
> spy out data.
>
> We are shocked here! You are from Belgium and I think you know the EU laws
> and regulations about privacy. Additional the German ones are even stronger.
> PLEASE PLEASE take out all links you have put in hidden into ODOO to spy out
> our customers data. Never ever such a thing should happen again! I hope this
> is fixed by end of the week!
>
> A newly created customer should never ever get redirected to the odoo.com
> website without his consent!!!! If there is a password reset than that
> customer should ONLY get directed to the server domain of the installation
> he is a user of.
>
> Beside this we really want to know know what else data and links are hidden
> in ODOO! and we don't know about it?
>
> I am very sad about that!
>
> ---
>
> The steps we took:
>
> 1 Created a new user
> 2 Changed the users password
> 3 a box appears where the reset link is in and it says that a mail had been
> send to that user with that link
> 4. In that link you see NOTHING about odoo.com it only shows the site domain
> of our site and states reset etc in the link.
> 5 when you click on that link you get directed to the odoo.com password
> reset site
> 6 if you enter the password at this site it even says the username is not
> there
>
> BUT the question is why is this happening at all and what data has been send
> with that or does regularly data get send to odoo.com without our knowledge
> - very worried! Sorry!
>
> Imagine what this means for companies who sell an ODOO site and than things
> happen like this after the side has been sold to the customer - especially
> in Germany where Privacy Laws are very very strict and get enforced!
>
> I hope that stuff gets out of ODOO immediately as the p[roduct is really
> great but this is not OK!
>
>
> With kind regards,
>
> Mit freundlichen Grüßen,
> Con un cordial saludo,
> Cordialement,
> с сердечным приветом,
> เรื่องที่เกี่ยวกับชนิด,
> 與親切的問候,
>
> ANDI BECKER
>
> _______________________________________________
> Mailing-List: https://www.odoo.com/groups/community-59
> Post to: mailto:community@mail.odoo.com
> Unsubscribe: https://www.odoo.com/groups?unsubscribe
>
> _______________________________________________
> Mailing-List: https://www.odoo.com/groups/community-59
> Post to: mailto:community@mail.odoo.com
> Unsubscribe: https://www.odoo.com/groups?unsubscribe