Today we’ve rolled out a change to how we handle users accessing private forums that are restricted by email domain in order to address a potential security issue. This won’t affect any other type of private forum.

We try to make it as easy as possible for your customers to interact on your UserVoice forums, because we know they don’t want to go through a big account setup just to give you ideas. Part of accomplishing this is allowing customers to interact on forums without setting a password, which has been very successful.

The gap we discovered is that potentially (we have no indication that this has happened) a user could be given access to a private forum, never set a password, and then have someone else use their email address to access that private forum and the ideas within. This would, of course, require the malicious person to know the exact email of someone invited to a forum. It’s an edge case that, to our knowledge, has never been exploited, but absolutely something that needed to be taken care of.

In order to plug this potential gap, we’re now requiring users set a password in order to access any private forum restricted by email domains. This will affect new and existing users.

Now, when an existing user without a password visits a forum that they have been given access to, instead of gaining access to the forum they will be given a link to create a password. This will generate an email with a confirmation link (to verify their identity) that will give them the ability to password-protect their profile. Once their password is set they will be able to access the private forum as before.

If you have any questions or think your customers are experiencing any issues, don’t hesitate to contact us.

Thanks for your understanding – we know this may cause some inconvenience for your customers, but in the end it will provide greater security for your company.

-Evan Hamilton
Community Manager, UserVoice