!EMERGENCY! serious privacy issue with latest SmarterMail versions
Problem reported by Sébastien Riccio - 6/12/2020 at 2:18 AM
Resolved
Dear SmarterTools,

Today we were contacted by the POLICE because a customer filled a complaint against us about a serious e-mail privacy issues.
We still can't believe what he discovered.

Since we updated from 7242 to the new public release, every mail he is sending from the webmail is saved in the "Sent items" folder... of ANOTHER customer mailbox!

The other customer warned him about this and they both are taking this privacy issue very seriously and so are we.
After having a contact with them, we were able to verify their claims and reproduce this.

The only similarity of both accounts is the mailbox name. Customer "A" mailbox is info@somedomain.com and customer "B" mailbox is info@otherdomain.com.

We now need to:

1) Have a complete understanding of why/how this is happening
2) Have a way to fix the issue ASAP!
3) Have a way of verifying all accounts that are affected by this
4) Inform all our customers about the problem, what it means for their e-mail privacy and how we are resolving it

This is an emergency issue and it has a total priority on all other open tickets that we have opened.

Thank you in advance.

Sébastien Riccio
System & Network Admin

13 Replies

Reply to Thread
0
Gabriele Maoret - SERSIS Replied
It seems to be a huge issue!!!

No other info?
It's happening only with webmail?

For now we are not aware of similar issue in our server, but I'm scared if this could happen to us too...
0
Sébastien Riccio Replied
Well, we did not yet tried to reproduce it with anything else than webmail, but it's already a huge problem.
It's happening only between mailboxes that have the same username on different domains.

I recall that during the beta, someone had posted something here on the community about mails that were delivered in the wrong mailbox, on the mailbox of another domain. Maybe it's related.
However I can't find the post anymore... the search function here is bogus anyway...

Sébastien Riccio
System & Network Admin

0
Chris Danks Replied
HI

so we can try, tell me the exact steps you take to replicate this issue

also I assume you have contacted smartertools support and provided them step by step instructions on how to replicate this issue.
0
echoDreamz Replied
We had this issue during the beta, it sucked...
0
Sébastien Riccio Replied
The steps are pretty simple. We login on the webmail of the user info@xxxxx.com and send a mail to any recipient.

Then we log in the webmail of user info@yyyyy.com and we find a copy of the mail we sent from the other mailbox in Sent items folder.

As we have around 20k accounts and 5k domains on the server, it's a bit difficult to understand why this happens, and why it goes to this particular domain.

We might have the same issue with other accounts, but it's hard to find out. We would need to ask our customers if they have e-mails in their sent items that doesn't belong to them...



Sébastien Riccio
System & Network Admin

0
Chris Danks Replied
echoDreamz did you report this during the beta testing?
if so what was the response from smartertools?
0
Netmate Replied
Now I am too scared to upgrade.
0
Nathan Y Replied
Has anyone else been able to reproduce?

Haven't tested it yet but we jumped from the last production build, think from January, to the latest build and have not had any reports of the same problem after 6 days. We did not deploy any of the BETA builds in production so if it is a wider issue I wonder if it is due to the intermediate builds?
1
Nathan Y Replied
Just tested with two accounts, john.doe@domainA.com and john.doe@domainB.com. Sent an email from each account using webmail to mail@domain123.com. Both emails appeared in the correct 'Sent Items' only. As a further sanity check I ensured both john.doe users were logged into webmail at the same time just in case there was some sort of session related issue but it still worked.

If this is a wider issue it appears to either impact a subset of users or at a guess installations that have had a previous BETA builds.

Anyone else care to share the results of their testing?
0
Thu Nguyen Replied
I'm going to upgrade but looks like I have to wait for this issue to be fixed.
Thanks for your info Riccio.
5
Tim Uzzanti Replied
Employee Post
We found an extremely rare issue where the stars need to line up perfectly for it to occur. We immediately placed several senior developers on it, and we found the cause of the issue and have it resolved. The "stars aligning" includes:

1 - The email address account names have to match exactly.
2 - The folder IDs have to match as well between the accounts.
3 - Microsoft .Net has to also put the two accounts into the same cache dictionary bucket in memory.

On over 100,000 accounts we checked for this issue, we only encountered it 3 times, and the issue would come and go for those users as well (based on Microsoft.NET modifying memory), making it more troublesome to detect.

Sebastien, on your server the account that was brought to your attention was the only instance.

Today's release will include the fix.
Tim Uzzanti
CEO
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Sébastien Riccio Replied
Hello Tim,

Thank you for the update on this issue. I'm happy to hear that it's a very rare issue and that only one account was affected on our server. We will then be able to explain what happened to our customer.

Kind regards

Sébastien Riccio
System & Network Admin

0
echoDreamz Replied
@Chris Danks - The issue was resolved during beta, it was much worse than 1/2 accounts though, it was the entire server with like aliases / names.

Reply to Thread