Community mailing list archives
Re: MAJOR SECURITY PROBLEM! PRIVACY VIOLATED!by
Jordi Ballester Alomar
I would explain you what YOU did incorrectly, not Odoo.
But by the tone of your email I got so irritated that I will keep the answer with me.. at least for now.
On Wed, Nov 11, 2015 at 5:42 PM, Andreas Becker <firstname.lastname@example.org> wrote:
We were just shoked that when you create a new customer and you change the password of that customer you will receive a link which shows you page URL but finally it gets REDIRECTED to ODOO>COMW H A T I S T H A T???This is incredible! This is worse than NSA as customers never know what will happen with their data. Additional it is violating EU privacy laws.It is complete ununderstandable why customers which have been created completely new on a local server!!! get a link to reset their password which directs them to odoo.comWhy is ODOO.COM collecting customer data from customers which are not even their customers?Fabien I want a very clear and understandable answer for this behaviour as it is not tolerable!In a new ODOO setup where we have loaded a database which have been created on a digital ocean server and than been moved to another dedicated server suddenly after we created a new user this user gets redirected to ODOO.COM and this even without our knowledge as the link does not show anything from odoo.com - it shows actually the domain name of the site installation.I recommend that others verify that this is happening. IMHO such a thing should never at all happen in a software like this where people have to TRUST that their data is secured. If things like this happen it looks like ODOO could also be connected directly with NSA and other Secret services to spy out data.We are shocked here! You are from Belgium and I think you know the EU laws and regulations about privacy. Additional the German ones are even stronger. PLEASE PLEASE take out all links you have put in hidden into ODOO to spy out our customers data. Never ever such a thing should happen again! I hope this is fixed by end of the week!A newly created customer should never ever get redirected to the odoo.com website without his consent!!!! If there is a password reset than that customer should ONLY get directed to the server domain of the installation he is a user of.Beside this we really want to know know what else data and links are hidden in ODOO! and we don't know about it?I am very sad about that!---The steps we took:1 Created a new user2 Changed the users password3 a box appears where the reset link is in and it says that a mail had been send to that user with that link4. In that link you see NOTHING about odoo.com it only shows the site domain of our site and states reset etc in the link.5 when you click on that link you get directed to the odoo.com password reset site6 if you enter the password at this site it even says the username is not thereBUT the question is why is this happening at all and what data has been send with that or does regularly data get send to odoo.com without our knowledge - very worried! Sorry!Imagine what this means for companies who sell an ODOO site and than things happen like this after the side has been sold to the customer - especially in Germany where Privacy Laws are very very strict and get enforced!I hope that stuff gets out of ODOO immediately as the p[roduct is really great but this is not OK!