Security Flaw?

[tomcatf14]

I discovered a security problem with WHMCS which I'm not sure can if this can be fixed from the administrator's side.

 

Letz say Client A has "clientA@domain.com" as the contact for his profile, then the client can add new Contact "clientB@domainABC.com" as the additional contact.

 

So, when the client "clientB@domainABC.com" open a support ticket with and get replied from WHMCS. "clientA@domain.com" will get a copy of the email.

 

How could we prevent this from happening? ClientA can steal "sniff" the email conversation of ClientB just by adding ClientB's address as the additional contact?

[mylove4life]

That is not a flaw that is the way it's made. this is just a way to keep up with tickets other contacts have in the system...

[tomcatf14]

That is not a flaw that is the way it's made. this is just a way to keep up with tickets other contacts have in the system...

 

So, what is stopping one client from adding another client's as the additional contact? This mean that the client could just sit in the middle of the conversation between us and another client? This is how it is suppose to work? I disagree with that

[Matt]

This wouldn't happen. If there is a client with an email x@y.com, and they email in a ticket, it will be assigned to their client account. No contact would get copies even if they have the same email under another clients contact. Only if the email address exists as a contact and not a client, does it get assigned to the contacts email in preference over the client.

 

Matt