40

There is a way for anyone to see ♦ moderator announcements despite not being one:

A list of moderator announcements

This can be done by creating a Stack Overflow team (which is now free!), then going to https://stackoverflow.com/c/{team-id}/topbar/mod-inbox. (I added in a few stylesheets in the screenshot to make the above screenshot look good). Avoid doing anything remotely like a moderator action in this new team, since having done moderator actions can make this page 500.

It doesn't seem like any of the announcements have any particularly secret info in them (they seemed pretty mundane to me), but it seems like making these public is a Bad Idea.

This is happening because Teams admins are actually moderators in disguise (with a bunch of stuff changed).

Improve this question
16
  • 4
    Many announcements concern upcoming changes that are not complete, and require feedback, or refer to specific operational issues that must not be disclosed if they are to be useful. If it was meant to be a public announcement, it would be a public announcement.
    – Nij
    Commented Mar 22, 2021 at 4:23
  • 18
    Next time it'd be appreciated if you used stackexchange.com/about/security instead of a public Meta post :)
    – iBug says Reinstate Monica
    Commented Mar 22, 2021 at 6:09
  • Anyway, some of these are already public. Half of them are just links to MSE posts. The ones that aren't are links to the private moderators site. All this infoleak does is let people see the titles of notifications.
    – forest distrusts StackExchange
    Commented Mar 22, 2021 at 9:43
  • 9
    I asked him to on chat actually. Felt a bit too late to secret squirrel if any user who started a free team instance could see our extremely boring announcements.
    – Journeyman Geek
    Commented Mar 22, 2021 at 10:14
  • 1
    @JourneymanGeek Or perhaps not so boring... ;)
    – Ollie
    Commented Mar 22, 2021 at 16:00
  • 7
    @Ollie come on, who cares that the mods' plan to steal the sun is progressing as expected?
    – VLAZ
    Commented Mar 22, 2021 at 16:58
  • Oops, that's embarrassing.
    – curiousdannii
    Commented Mar 22, 2021 at 22:26
  • You sure that's anyone, or just team owners?
    – Ollie
    Commented Mar 22, 2021 at 23:19
  • 4
    @Ollie Only Team admins. However, that isn't much of a barrier since anyone can create a team for free now, something that SE has been making sure everyone knows about
    – smitop
    Commented Mar 22, 2021 at 23:24
  • 4
    Or of people find out why we're really not allowed to mail trolls bobcats any more.
    – Journeyman Geek
    Commented Mar 23, 2021 at 1:20
  • 3
    THE INCIDENT
    – Journeyman Geek
    Commented Mar 26, 2021 at 13:20
  • You said "Avoid doing anything remotely like a moderator action". Do you mean that you can do moderator actions through this page if you aren't one? Wow, this was a real security hole! Maybe you shouldn't have posted it publicly.
    – Anonymous
    Commented Mar 26, 2021 at 16:08
  • @Anonymous Being able to do most moderator actions on SO for Teams as an admin is the intended behaviour: that's the point of being an admin. The problem here is that Teams admins got a little too much powers. But Teams admins absolutely can see all the PII of people in their Team without even using moderator interfaces. For instance, IP addresses of people in a Team are included when exporting data from a team. That is the intended behaviour (AFAICT). Moderators (in a Team or not) can't ever see any non-public info about users not in a Team (in SO for Teams) or site (for public sites).
    – smitop
    Commented Mar 26, 2021 at 16:28
  • 2
    Some moderator things are hidden on SO for Teams, but they are not hidden for security, but because they don't make sense in a Teams context. For instance, by making requests to the right endpoints you can do things like block users, flag posts, review ban users, annotate users, mark flags as userful/not, etc. None of these would make sense to do in a normal team: your co-workers are unlikely to start posting spam on Teams (which are invite-only), but the ability to do these actions is still present internally, since Teams are really just normal Stack Exchange sites with a few tweaks...
    – smitop
    Commented Mar 26, 2021 at 16:35
  • 1
    ...Some of these actions result in things being placed in the moderator inbox, which is normally hidden. When making requests for the mod-inbox (which is normally hidden) manually, the SE software loads everything that would normally go in the mod inbox, including announcements. But since exactly 0 effort went into testing the mod inbox on Teams (because it should never be loaded in Teams), there is some bug that causes it to not load properly when certain items are in it. I'm not sure what actions exactly cause this bug.
    – smitop
    Commented Mar 26, 2021 at 16:37

1 Answer 1

Reset to default
15

This appears to be fixed. The mod inbox now 404s on teams: enter image description here

Improve this answer
1
  • 10
    Yup! This has been fixed now.
    – Juice StaffMod
    Commented Apr 2, 2021 at 15:00

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .