Support system giving private information to customers

[Gav]

Hello,

 

A customer opened a support ticket today, I got the email and went to answer it, this is what I found (see attachment - image is taken from the client's login view)

 

Not the posted date (customer) and the reply date (staff) - the reply date is BEFORE the customer submitted the ticket and contains sensitive information including a password. Luckily in this case the reply was to a previous ticket for the same customer, but I am very concerned about this and need to know that it's in no way possible for the system to send replies intended for other customers.

[Matt]

Not sure what you mean? Hasn't the customer just replied to an already existing ticket they had in their account rather than opening a new one?

 

Matt

[Gav]

No they opened a new one and before I replied the reply from a previous ticket was displayed there. I'm not sure how this could have happened.

 

BTW: the two messages you can see are the only ones there - there are no other replies.

[Daniel]

Looks to me as though they just replied to an existing ticket they had.

 

Client 'A' can't reply to a support ticket that Client 'B' submitted..

[Jordan]

Well, in all honesty, if they direct link to the ticket is given out, then anyone can view it.

 

There is currently no else/if statement for being logged in, that will disable viewing the ticket contents.

 

So, if I knew your website address, and the ticket ID number.. I'd be able to view it.

[Matt]

So, if I knew your website address, and the ticket ID number.. I'd be able to view it.

That isn't the case. You would have to know both the ticket number and the random secret variable - you would not be able to view a ticket without both values.

 

Gav, I suggest you open a ticket so I can take a look at your issue specifically if you think something went wrong and it wasn't a reply to an earlier ticket. At the current time there's nothing to suggest a bug.

 

Matt