Community mailing list archives

community@mail.odoo.com

Re: MAJOR SECURITY PROBLEM! PRIVACY VIOLATED!

by
Fabien Pinckaers (fp)
- 11/11/2015 13:37:22
Odoo uses OAuth by default for portal users (not regular users). OAuth is largely used in the industry with Facebook, LinkedIn, Google, Github, ... The idea is that you use a third party to authenticate the user, using the OAuth protocol (ex: Login with Github on Transifex)

Advantages:
  • You don't need to give your password to the merchant
  • Single login / password for several websites
  • Credentials are managed by another party than other data (orders, credit cards, ...)
About the odoo.com OAuth: [1]
  • Customer passwords are protected with industry-standard PBKDF2+SHA512 encryption (salted + stretched for thousands of rounds)
  • Odoo staff does not have access to your password, and cannot retrieve it for you, the only option if you lose it is to reset it
  • Login credentials are always transmitted securely over HTTPS
If you think your website is more trustable than Odoo, all you need to do is to uninstall OAuth. Then, you will receive the passwords of all your ecommerce customers / portal users.

Note that our OAuth implementation is standard, you can configure it to use facebook.com instead of odoo.com, if you prefer.

Long story short: it's not a security issue, it's a good practice.

-- 
Fabien


On Wed, Nov 11, 2015 at 5:42 PM, Andreas Becker <andi@lisandi.com> wrote:
We were just shoked that when you create a new customer and you change the password of that customer you will receive a link which shows you page URL but finally it gets REDIRECTED to ODOO>COM

W H A T  I S  T H A T???

This is incredible! This is worse than NSA as customers never know what will happen with their data. Additional it is violating EU privacy laws.

It is complete ununderstandable why customers which have been created completely new on a local server!!! get a link to reset their password which directs them to odoo.com

Why is ODOO.COM collecting customer data from customers which are not even their customers?

Fabien I want a very clear and understandable answer for this behaviour as it is not tolerable!

In a new ODOO setup where we have loaded a database which have been created on a digital ocean server and than been moved to another dedicated server suddenly after we created a new user this user gets redirected to ODOO.COM and this even without our knowledge as the link does not show anything from odoo.com - it shows actually the domain name of the site installation.

I recommend that others verify that this is happening. IMHO such a thing should never at all happen in a software like this where people have to TRUST that their data is secured. If things like this happen it looks like ODOO could also be connected directly with NSA and other Secret services to spy out data. 

We are shocked here! You are from Belgium and I think you know the EU laws and regulations about privacy. Additional the German ones are even stronger. PLEASE PLEASE take out all links you have put in hidden into ODOO to spy out our customers data. Never ever such a thing should happen again! I hope this is fixed by end of the week!

A newly created customer should never ever get redirected to the odoo.com website without his consent!!!! If there is a password reset than that customer should ONLY get directed to the server domain of the installation he is a user of.

Beside this we really want to know know what else data and links are hidden in ODOO! and we don't know about it?

I am very sad about that!

---

The steps we took:

1 Created a new user
2 Changed the users password
3 a box appears where the reset link is in and it says that a mail had been send to that user with that link
4. In that link you see NOTHING about odoo.com it only shows the site domain of our site and states reset etc in the link.
5 when you click on that link you get directed to the odoo.com password reset site
6 if you enter the password at this site it even says the username is not there

BUT the question is why is this happening at all and what data has been send with that or does regularly data get send to odoo.com without our knowledge - very worried! Sorry!

Imagine what this means for companies who sell an ODOO site and than things happen like this after the side has been sold to the customer - especially in Germany where Privacy Laws are very very strict and get enforced!

I hope that stuff gets out of ODOO immediately as the p[roduct is really great but this is not OK!


With kind regards,

Mit freundlichen Grüßen,
Con un cordial saludo,
Cordialement,
с сердечным приветом,
เรื่องที่เกี่ยวกับชนิด,
與親切的問候,

ANDI BECKER

_______________________________________________
Mailing-List: https://www.odoo.com/groups/community-59
Post to: mailto:community@mail.odoo.com
Unsubscribe: https://www.odoo.com/groups?unsubscribe