nus-se-script
commented
4 months ago Team's Response
We refer to this section for our constraints on the project.
We wrote this in the UG as we plan to have this in the future, when the constraints are lifted.
Items for the Tester to Verify
:question: Issue response
Team chose [response.NotInScope]
- [x] I disagree
Reason for disagreement: Since the constraint of human editable file is in place, the UG should not include data leak as an issue in its Welcome Note in the first place.
Therefore, it is still a mistake to include the second guiding question in the picture attached in the original bug report.
In addition, in reply to the group's justification quoted here:
We wrote this in the UG as we plan to have this in the future, when the constraints are lifted.
It is also misleading to include a issue not yet solved by the current product in the Welcome Note, because unsuspecting users who lack the technical abilities to verify the security of the application might expose themselves to security issues by using the application.
Therefore, I believe that this is a documentation bug that can mislead the user as to the level of security that the application has. Since security is not a minor issue, I believe the severity should be medium.
This is not to say that the product should have high security by encrypting its file. Rather, they should be clear whether or not their current product addresses security concerns.
The welcome note of UG seems to claim that the app can solve data leak issues.
However, the storage json files for address books are not encrypted and are easily accessble. One can simply rename the json to their own account name to access and change the files with their own account.