 |
|
|
 |
| Subject: Traveler Security Flaw? |
 |
 |
 |
| Product Area: Notes Traveler |
 |
| Technical Area: Accessibility |
 |
| Platform: Windows |
 |
| Release: 8.5.3 |
 |
| Reproducible: Not attempted |
 |
 |
 |
 |
I recently was notified that a couple of my Traveler users were receiving new devices. Rather than keep the Traveler database cluttered with multiple devices, I used the "Tell Traveler Delete {device} {username}" to remove the device that was no longer supposed to be used.
Today I noticed one of the deleted users, who activated his new device, apparently activated the previous devices he had been using.
Now, this might not be a problem if we were allowing everyone to activate devices, or authorized people to activate as many devices as they wanted to. However, I have the security set that each user can activate a SINGLE device, then any further devices require approval.
Have I discovered a security flaw? Is a previously activated device still considered 'approved' if that device is deleted from the server and the user re-activates it, after having activated another device (which is considered approved)?
We are wanting to allow users to activate only ONE device. We already had an allowed user attempt to activate a personal device, and the approval process caught it, asking us to allow. However, this user activated their new device, and then apparently tried to activate their previous device, and it was allowed, instead of requiring Admin Approval.
Brian
 
Feedback number WEBB8VHLZN created by ~Julia Quetjipytexings on 06/22/2012
Status: Open
Comments:
 Traveler Security Flaw? (~Julia Quetjipy... 22.Jun.12)
 . . re:Traveler Security Flaw? (~Alexis Asanist... 22.Jun.12)
. . . . Tell traveler security delete <devi... (~Julia Quetjipy... 22.Jun.12)
. . . . . . RE: Tell traveler security delete <... (~Manny Ekrevero... 25.Jun.12) |
| |
|
Return to top
Printer-friendly
