Is this a security flaw?

Question

I was working on the errors project and noticed that when I adopted an orphanded profile that was connected to a private tree, I had access to the living individuals in that tree.

Not sure how much of an error it is, but it does seem that it defeats privacy protections.

Comments

Sounds like a security flaw to me too :o

---

So in the DB_ERRORS there is an error that is blank unconnected profiles. There are a few thousand of them. Some of them are connected, but the connections are private daughter, private spouse, whatever. If they are orphaned, I can adopt them. Once I adopt them, I can navigate the tree.  I didn't go far, because I was not interested in anything but correcting the error. However, it did open up information to me that the individual thought was private, but actually everyone has access to.

---

Lance, you must have been working the night I pulled Ranger Duty,  Right at the end of my shift I saw an odd merge to your profile.  I checked your profile and suddenly I had access to your profile and could have made changes. None of your badges were showing. I contacted Eowyn and she changed your privacy level.  So, definitely a bug needing looked at.

---

Yes I posted that episode under another post. I tend to make unintentional waves where I visit.

Answer 1

When you say access to the living trees, what do you mean?  Can you edit them?  That would make it a security breach.  But just seeing the bios, for instance, wouldn't be.  I'd think if you were orphaning a profile that you might make as much as you could visible of living profiles.  But of course you said "private tree"  What exactly do you mean there?  A particular profile with privacy set to private or something else?

Answer 2

Private links on Open profiles seem to be just a nuisance.  They don't protect anything.  I didn't realise they were visible to PMs - it's not on the list of privileges of PMs.

Comments

Here is a profile that shows the problem. After you 'adopt' it, the information becomes available to you.   Baker-4314

---

Ok, I checked it out.  The problem is that there's no indication that the profile was for a living person.  All the dates are in the Biography and that doesn't trigger protection If it were marked as still living in the death date at the top, that should prevent it from being adopted which may or may not be what needs to be done.  Why someone abandoned the profile in an open state I don't know but it is a mistake, I hope, rather than a malicious act.

---

There are a lot of these profiles out there. For now I am adopting, informing the managers of the attached private profiles  of the security risk and then orphaning them again.

---

The Baker-4314 example is one of Gaile's.  But the info is all available anyway

http://www.wikitree.com/wiki/Tannen-4

No need to adopt anything.

 

 

---

@ RJ, but how did you find that profile, for from the profile of  Jennefer you only see: Wife of [private husband (1970's - unknown)]
And more strange: Tannen-4 shows no wife.

---

When I look at it I see:

Jennifer Tannen formerly Baker

Born [date unknown] [location unknown]

Daughter of [father unknown] and [mother unknown]

[sibling(s) unknown]

Wife of [private husband (1970's - unknown)]

[children unknown]

Died [date unknown] [location unknown]

 

When I adopt it I see:

 

Jennifer [middle name?] Tannen formerly Baker

Born [birth date?] [place of birth?]

Daughter of [father?] and [mother?]

[brothers or sisters?]

Wife of David Tannen — married [marriage date?] [marriage location?]

[children?]

Died [death date?] [place of death?]

 

and I can navigate through David to his parents and sister.

 

And yes to see the private husband, I had to adopt, then navigate to that profile. Then I note the profile manager of the "private" profile and send them a note. There is no way for me to find the name of the profile manager of the private profile unless I adopt it.