Welcome email is a significant security issue

Discussion in '3CX Phone System - General' started by boomschtick, Sep 7, 2017.

Thread Status:
Not open for further replies.
  1. boomschtick

    Joined:
    Sep 11, 2012
    Messages:
    38
    Likes Received:
    5
    Inspired by this thread in the Ideas forum: https://www.3cx.com/community/threads/security-risk.45381/

    This feels like a very big deal to me and I think deserves more attention. Quoting my last post in that thread:
     
    Zephnath, AH2 and Daniel Lent like this.
  2. boomschtick

    Joined:
    Sep 11, 2012
    Messages:
    38
    Likes Received:
    5
  3. llebihan

    Joined:
    Sep 11, 2017
    Messages:
    1
    Likes Received:
    1
    I agree
     
    Zephnath likes this.
  4. daneke

    Joined:
    May 8, 2017
    Messages:
    46
    Likes Received:
    4
    Then don't send one. Give new users a sticky
     
  5. boomschtick

    Joined:
    Sep 11, 2012
    Messages:
    38
    Likes Received:
    5
    Seriously? That's hardly a solution. 3cx is a global solution and this needs a global fix. I have users in Europe, Australia and all over the US. I love the convenience of the welcome email, but it has WAY too much information in it from a security standpoint.
     
  6. Nick Galea

    Nick Galea Site Admin

    Joined:
    Jun 6, 2006
    Messages:
    1,888
    Likes Received:
    190
    SP 2 will have provisioning via QR code and then there is no need to send the provisioning file for the smartphones....
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. boomschtick

    Joined:
    Sep 11, 2012
    Messages:
    38
    Likes Received:
    5
    Great news. What's going on for the desktop clients?
     
  8. Zephnath

    Joined:
    Sep 15, 2017
    Messages:
    1
    Likes Received:
    0
    Users also have the ability to request the welcome email via the web client. (Profile > Resend Credentials) @Boomshtick is correct, not sending one is not the solution.

    I'd personally like to see a whitelisting/blacklisting feature that allows admins to either approve or deny clients before they are allowed to authenticate. Also having the client prompt for authentication credentials would be a better than an unencrypted email with plain text username and password within the xml.
     
    #8 Zephnath, Sep 15, 2017
    Last edited: Sep 15, 2017
Thread Status:
Not open for further replies.