Hi,
Thank you for bringing to everyone's attention the potential cyber risk of QB's current document/customer info storage practices. As a multiple-time customer, I am not happy with what you are proposing they are doing with their cyber hygiene practices.
I'm a cybersecurity engineer with a networking background, but have 0% experience with WordPress, focusing mainly on DoD stuff -- WP just doesn't figure into my career at all since we never use it where I am at and have worked. Hence, I'm a bit confused on how you are accessing everyone's data (is that your contention?), and/or, why it's as grave as you say (minus the fact that they are retarded for using WordPress in this manner, since it is, as you've said, always hackable). Your two threads seem to indicate that anyone can access the data by navigating the Directory parent/child relationships. But, I've gone through my own order emails and have tried to publically/Unauth navigate the site and keep finding I arrive at a "Forbidden" error message -- much like one would expect if the .htaccess file were properly modified to forbid Index access.
1) Are you saying that if someone guessed the directory/file structure and URL convention they could access all uploaded files
OR
2) Are you saying there is a WordPress-Savvy backdoor to arrive at the individual files
OR
3) Are you saying that if their site/server was compromised all of said info would be open to an attacker?
I'd be interested in which number or combo thereof you are deriving your conclusion from and pursuant to that, how we can assist QB in sanitizing this from public view. If they refuse, as they seem to treat simple order emails as NFA (which they aren't), then it would seem legal recourse is in order since this is a violation of PII storage practices as Industry standards demand.
It certainly is stupid of them to store PII like that as it provides a vector for:
A) NFA items' targeted theft
B) Anti-2A Swatting, either in the form of claimed threats or claimed skirting of NFA laws, e.g., "He tried to sell me an off the books suppressor, SN# XXXX", etc.
Thanks