We build. You grow.

Get best community software here

Start a social network, a fan-site, an education project with oxwall - free opensource community software

URGENT: Oxwall Leaking Private User Info! | Forum

Topic location: Forum home » Support » General Questions
Chris
Chris Jul 1 '11
Hi,
I have my own hosting solution of oxwall, hosted by the suggested provider HostForWeb.

It is set as a private community (i.e. in Global settings: invitiation only, no guest view, mandatory approve users).

I use my site with students at a school; so safety is important.

If you google one of the users on the network and add the network name after it, in the results you can read lots of things students have posted. Fair enough if you follow the link in the search results, it forces you to login, but this is not secure enough.

Should google be able to crawl through and access information which is supposedly behind a login?

I need this to stop. Are there any solutions?

What is worse is that you can view a 'cached' version of the page in Google results and it shows you everything.

THIS IS VERY BAD - I am now taking my network offline until this is resolved.
[u]
The Forum post is edited by Chris Jul 1 '11
Ahmed Khlifi
Ahmed Khlifi Jul 1 '11
i advice u to do not take ur site off, everyone face the same problem even facebook users
go search for your facebook profile on google and u can find it too :/
Facebook announced lately about this problem and assisted that google should fix it and yeah they are working on it !! ^_^ it would take some time to make all that hugue informations private
and for now, you can make ur site just looks like twitter, i mean no private information, just fun and chat :D
The Forum post is edited by Ahmed Khlifi Jul 1 '11
Ahmed Khlifi
Ahmed Khlifi Jul 1 '11
look at this pic
i just catured it :)
Attachments:
  2011-07-01_195244.png (79.95Kb)
Ahmed Khlifi
Ahmed Khlifi Jul 1 '11
@LEO, that wouldnt help, the informations are still public xP
The Forum post is edited by Ahmed Khlifi Jul 1 '11
Chris
Chris Jul 1 '11
Even Facebook has an option to be not publicly visible.

Oxwall shows you everything. Posts, blogs, info etc.

Site was never public and never has been visible to guests.

Searched for myself on google for my Facebook and nothing was accessible.

With oxwall on google you can actually press cached and you see the whole page!

Mark
Mark Jul 1 '11
you could add no cache and no index headers to template files
Chris
Chris Jul 2 '11
How would I do that?
Emil Team
Emil Jul 2 '11
Your current problem is you set the site closed for guests _after_ it was crawled and indexed by Google. That's the only possibility for it to get behind login screen.

Once that information is in index Google may persistently keep it there for some time. Try to de-index it as other people suggest. Also, next time if you create a private site, make sure it's private before any crawler gets it.

Hope that helps.
Chris
Chris Jul 2 '11
That's just it though, it never ever has been public.

Given it is a school site, it was all private before we put any students on. It never has or will be public and google are indexing it.

I think this is a serious security issue that needs addressing. It is getting beyond the login screen and nobody at oxwall seems to be seeing this as a concern.

It is also happening on my other network which is private and is hosted at wall.fm.

Thanks for the advice. I will give it a go.
The Forum post is edited by Chris Jul 2 '11
Chris
Chris Jul 2 '11
@Leo - thanks for that. Think I found what I needed from there "
Emil Team
Emil Jul 3 '11
Chris, that doesn't sound right. Can you please PM me with your site URL so I can check things out.
Chris
Chris Jul 3 '11
@Leo - I would normally agree. But google is going behind the sign in page. I noticed that when I go to my network, for a split second, it shows you inside the network then the sign in screen flashes on. I think there is a massive security issue here.

Happening on both networks I have - one I host myself, the other hosted at wall.fm. Both are set as closed and never ever have been open.

@Emil - will send now. Thank you


Could the splash screen we have activated be causing a security issue? I have just disabled it and I didn't see any of the network when browsing to my url.
The Forum post is edited by Chris Jul 3 '11
Den Team
Den Jul 4 '11
How did you make your site private? Did you close all your site for none logged users? Or did you just enabled Splash Screen?
This is something fantastic that google can loggin and cache your site :)
The Forum post is edited by Den Jul 4 '11
Chris
Chris Jul 4 '11
The site was made private by setting guests to not be able to access and only invited people can join.

The splash screen was then turned on, to remind our users to obey copyright etc. I noticed that when this was on, for a split second you actually see beyond the login screen - it shows you the site content. Then after a second, the login screen appears.

I have turned the splash screen off now.

This isn't me. There is genuinely an issue here.

Privacy settings...
The Forum post is edited by Chris Jul 4 '11
Mark
Mark Jul 4 '11
the problem i find is that even with guest acces disabled they can still view certain stuff its only when they click a link to read the full story or view a profile that they are denyed acces. what you need to do is go onto the pages and menus setting page and edit each menu item and untick the guest access box.


(sorry about poor spelling typing in a rush)
Chris
Chris Jul 4 '11
I checked the menus. All have guest unticked.

Only way I seem to be able to manage it is to remove remote linking so anything that does get cached now generates a 403 forbidden error. Trouble is info is still cached but it's only when you follow a link that the error is generated.
Den Team
Den Jul 5 '11
If you enable set site for logged in members only, then system will ask you for login before you will try to open any page. I don;t understand how google cached your site without login. This is something fantastic :)
Chris
Chris Jul 5 '11
I know it sounds like I am totally crazy but this is definately happening.

Funny how it is happening the oxwall install on my server and also the other one I have hosted by Wall.fm!

As I say, I have put on LightScribe 403 on remote linking now, so no major concern for me but still something I bet will crop up for someone else in future.

Thanks for your continued advice and conversation though folks. It is much appreciated.
Emil Team
Emil Jul 6 '11
Chris,

Sorry for so much back and forth. We've just found out that it's definitely a bug. And a serious one. Splash screen and private modes do not treat each other well. Wall.fm guys will apply this patch shortly and we'll put a quick fix here.

Currently an easy fix is to disable splash screen. If your site is set to private then your content is safe.

Thank you for going to great lengths to make us find it.
Chris
Chris Jul 6 '11
Thanks for Letting me know Emil.

Glad it wasn't just me imagining things. I was starting to question myself!

Will look forward to a fix.

Thanks again.
Chris
Pages: 1 2 »