Briefly describe (1-2 sentences) the Bug you’re experiencing:
Clients on the same team, but added just to their respective private projects can find each other on the iPhone app and communicate.
Steps to reproduce:
More details in this post: Private Users can message each other. (iphone app security concern) - #3 by Bastien_Siebman
Browser version: iOS App v9.13.0
By “clients” I meant to write “Private Users”.
Hi @StevenC, thanks for flagging this!
I’ve gone ahead and escalated this to our Product team. I’ll keep you posted and let you know when we have any updates!
Are there any updates on this issue? Same thing happens on the Android app
Hi there @Tamara_vd and @StevenC, thanks for flagging this 
Can you please confirm if those private users you’re referring to are part of the same team? Even though they belong to different private projects - are those projects all homed under the same team?
Please note that all users having an email address with your organization’s email domain are organization members and all users having an email address outside this domain are guests in your organization.
Members can see all guest’s names and all guests can see member’s names too.
That being said, guests can only see other guests once they are both added to the same team or the same project: Working with guests in an organization • Asana Product Guide.
If your colleagues cannot see their names and can only see “Private user”, it is simply because they are not added to the same team or project. Once this will be the case, they’ll both see each other’s name.
Hope you find this information helpful
The private users aren’t part of the same team or projects and are not part of our organization.
A test account (gmail address) is a guest in 1 Project, which is in the team Customers. I’m not a member of the team.
When I look in the Android app on the Home screen I see 3 tabs: Favorites, Recents, All. When I go to ‘All’ I see the team Customers (which surprise me, because I’m not a member of that team).
When i click on that team I can see the members of the team. When i click on them I see a list of members. I see the members of the team Customer (name and e-mailaddresses are shown). But the list also shows a lot of ‘Private users’. I can then click on any of those private users and send a message or ‘View tasks’.
So, it is true I can only see the names of other guests when added to the same project or team. But without being part of the same team/project it is possible to view tasks and send a message. Which is definitely not what we want.
When I use the desktop app or browser, none of these problems exist;
I don’t even see the team Customers, I only see the project where I’m added as a guest. I can’t message or assign tasks to anyone outside that project.
Thanks for the additional context @Tamara_vd! I have now escalated this to our Development Team so they can investigate further and I will circle back on this thread once they provide an update thanks!
Are there any updates? There is a real problem for our organization when customers can message / assign tasks to customers from another organizations.
Hi @Tamara_vd, our team is still working on this case, and unfortunately we don’t have an ETA yet, but we’ll get back to you as soon as we receive any updates. Sorry for the trouble!