Aha! idea portals are a great way to manage all of your customer ideas. And as every product manager knows, ideas often come from many different sources.
Aha! supports idea submission through email to make it easy for your stakeholders to email in their ideas. Each Aha! product includes a unique email address that can be used for idea submission. If a user sends an email to the unique address, an idea is created. This Ideas via email address is located under Settings > Product > Configure, within the Ideas subsection.
Sometimes customers will create a corporate email address that has messages forwarded to the Ideas via email address. However, this creates a potential security vulnerability that customers should be aware of when making use of the Ideas via email functionality.
The vulnerability occurs under the following conditions:
- A corporate email address, such as firstname.lastname@example.org, has messages forwarded to an Ideas via email address.
- A public or private idea portal is in use.
- New ideas submitted to the portal are set to be portal visible automatically.
- Internal applications are used that allow self registration of users with email addresses on the corporate domain.
This enables the following security vulnerability:
- A malicious user registers for internal applications using the email@example.com email address.
- A registration email is then sent to firstname.lastname@example.org.
- The registration email gets published as an idea through the Ideas via email forwarding.
- The malicious user views the registration idea, and uses the idea to access the registration content to create their account on the internal application.
To prevent this from occurring, we recommend that teams do not forward emails from corporate email domains that are used for other applications.
If an address on your domain is used for idea submission, you should take caution to ensure that your portal is either a submit only portal or that you set your default idea visibility to be "Not visible in portal" so that no malicious email could populate into the portal automatically.