Community mailing list archives

community@mail.odoo.com

Re: MAJOR SECURITY PROBLEM! PRIVACY VIOLATED!

by
Skillteam, Houssine BAKKALI
- 11/11/2015 12:12:52
Don't feed the troll :)

2015-11-11 18:06 GMT+01:00 Luke Branch <odoocommunitywidgets@gmail.com>:
Andreas,

I think you need to read up about the oAuth settings.

The default oAuth provider in Odoo is Odoo, you can add others (Google,etc), however just read on the forums about how to change the setting before jumping to conclusions like that.

The problem here is your configuration. 

See this post for an easy fix:


On 12 Nov 2015, at 12:42 AM, Andreas Becker <andi@lisandi.com> wrote:

We were just shoked that when you create a new customer and you change the password of that customer you will receive a link which shows you page URL but finally it gets REDIRECTED to ODOO>COM

W H A T  I S  T H A T???

This is incredible! This is worse than NSA as customers never know what will happen with their data. Additional it is violating EU privacy laws.

It is complete ununderstandable why customers which have been created completely new on a local server!!! get a link to reset their password which directs them to odoo.com

Why is ODOO.COM collecting customer data from customers which are not even their customers?

Fabien I want a very clear and understandable answer for this behaviour as it is not tolerable!

In a new ODOO setup where we have loaded a database which have been created on a digital ocean server and than been moved to another dedicated server suddenly after we created a new user this user gets redirected to ODOO.COM and this even without our knowledge as the link does not show anything from odoo.com - it shows actually the domain name of the site installation.

I recommend that others verify that this is happening. IMHO such a thing should never at all happen in a software like this where people have to TRUST that their data is secured. If things like this happen it looks like ODOO could also be connected directly with NSA and other Secret services to spy out data. 

We are shocked here! You are from Belgium and I think you know the EU laws and regulations about privacy. Additional the German ones are even stronger. PLEASE PLEASE take out all links you have put in hidden into ODOO to spy out our customers data. Never ever such a thing should happen again! I hope this is fixed by end of the week!

A newly created customer should never ever get redirected to the odoo.com website without his consent!!!! If there is a password reset than that customer should ONLY get directed to the server domain of the installation he is a user of.

Beside this we really want to know know what else data and links are hidden in ODOO! and we don't know about it?

I am very sad about that!

---

The steps we took:

1 Created a new user
2 Changed the users password
3 a box appears where the reset link is in and it says that a mail had been send to that user with that link
4. In that link you see NOTHING about odoo.com it only shows the site domain of our site and states reset etc in the link.
5 when you click on that link you get directed to the odoo.com password reset site
6 if you enter the password at this site it even says the username is not there

BUT the question is why is this happening at all and what data has been send with that or does regularly data get send to odoo.com without our knowledge - very worried! Sorry!

Imagine what this means for companies who sell an ODOO site and than things happen like this after the side has been sold to the customer - especially in Germany where Privacy Laws are very very strict and get enforced!

I hope that stuff gets out of ODOO immediately as the p[roduct is really great but this is not OK!


With kind regards,

Mit freundlichen Grüßen,
Con un cordial saludo,
Cordialement,
с сердечным приветом,
เรื่องที่เกี่ยวกับชนิด,
與親切的問候,

ANDI BECKER

_______________________________________________
Mailing-List: https://www.odoo.com/groups/community-59
Post to: mailto:community@mail.odoo.com
Unsubscribe: https://www.odoo.com/groups?unsubscribe

_______________________________________________
Mailing-List: https://www.odoo.com/groups/community-59
Post to: mailto:community@mail.odoo.com
Unsubscribe: https://www.odoo.com/groups?unsubscribe