BUG? GDPR compliance issue? private email addresses are being shown!

tomastd · April 4, 2020, 4:30pm

Hi, I am not sure if it is a bug or an expected behaviour but I think it is a problem for GDPR compliance. That info might be also accesible from other apps.

This issue has been reported by a user in our nextcloud instance. That instance, which has an A+ in Nextcloud Security Scan. The instance also has all email privacy scope set to “Private” by default.

The issue has been tested in other instances hosted in different servers.

To replicate the isuue:

While wrintg an email in rainloop app, even if a user has no contacts in his account, rainloop proposes the emails of all the instance users.

tomastd · April 4, 2020, 5:56pm

Well, if it is not a bug, is there any way to avoid it?

JimmyKater · April 4, 2020, 6:03pm

i guess you should ask this at official rainloop -github as this app is just a package from it…

tomastd · April 4, 2020, 6:07pm

Maybe, but the leak of information is in Nextcloud Server app, not in Rainloop which is just a client. Anyway, I will write it also in Rainloop’s github.
Thank you!!!

kesselb · April 4, 2020, 6:51pm

https://github.com/pierre-alain-b/rainloop-nextcloud/issues would be the repository.

tomastd · April 4, 2020, 7:20pm

Here the report in rainloop-nextcloud github.

tomastd · April 5, 2020, 3:34pm

The issue has been merged with other thread, here the link: