Private Users can message each other. (iphone app security concern)

Hi All!

I’m a small MSP interested in using Asana to replace the standard helpdesk but have some concerns with this.

Please note: I can only replicate this behavior using the iPhone mobile app (I’ve not tested android) and it is not an issue using the desktop browser. I reported this many months ago to support; however, I can’t find the original email. I wasn’t provided a fix.

My Setup:

Organization
|
|
–Internal Dept 1 (Team)
|
|
–Internal Dept 2 (Team)
|
|
–Clients (Team)
|
|
–Client X (Project)
|
|
–Client Y (Project)

Added a guest to the Client X project.
Added a guest to the Client Y project.

Logged in as Guest X on the iPhone. I can see a list of all users in Clients (Team). As expected, I can see the actual name of the org member that is also in the same project as me. Guest Y is listed as a “Private User.” * (I’d prefer it be like the browser experience where the private user isn’t listed at all, but not a problem I guess.)*

My Concern: If I, Guest X, click on the project and then click on the list of members, and then click on the private user listed, I am given an option to “Send Message” or “Assign Task”. When testing both options work. I, Guest X, can give Guest Y a private message and assign them tasks as well that now show up in their account. I can also click “View Tasks” and see the task I just assigned to Guest Y.

Why is this a concern?

Because in my above setup, in theory, one client initiates contact with another client while I have no idea about such contact. They’ll have no idea who they are talking to. But regardless, they could maliciously contact ALL clients. The only way around this is to create a team for each client and this is no longer a problem; however, after browsing the forums I see many other people use the same setup I have above.

I’m on the Business plan but I’m sure this impacts others.

Thoughts?

Taking this a step further after more testing.

Again, thankfully I can’t replicate this on a desktop browser just in iPhone app.

Client X, creates a task in their project. If they start a mention and type “@P” it lists all Private users. In this case more private users than even exist in my “Test Clients” team. Seemingly all Private Users in the org.

So client X can @P and randomly select anyone to communicate with. As compared to the desktop browser experience where @ only brings up users you have been on the same project with.

Very interesting use case! You can message a private user, but do they indeed receive the message? @Marie seems like a bug, should we move it to the Bug category?

1 Like

Hi @Bastien_Siebman

Yes, I created 2x private users with unique email addresses, a test team, and projects. I confirmed that the message and assigned tasks were indeed received by the second private user account.

Thanks, sorry for posting in the wrong section. Indeed it seems like a bug to me.

Hi @StevenC, can you please report this in #bugs:report? Thanks!

Cross posted it there. Thanks!