Figma Support Forum

Comment feature: User privacy issue

1. Describe the bug/issue you’re running into?
As I use the @ feature on my figjam file I am suggested people I don’t know and have access to their email address

2. Are you able to consistently reproduce it? If so what are the steps?
Yes

  • Create a figjam
  • Start a comment somewhere
  • @ someone
  • As I type characters I am suggested users which are not part of my org

3. Share a screenshot, recording, console log, link to the file, etc.

4. Is the issue only happening in desktop app or a specific browser , or both?
not sure

5. What OS/version and/or browser/version are you using?
Latest

I reported this a while ago (this is the same in FigJam and Figma) and here is the answer:

Our general model is that we won’t share emails of owners or viewers by just having someone visit a link. Unfortunately, when we did that, that meant too many cases of benign interaction were affected. So, we have a heuristic where if a file has < 10 people, then viewers get the owner added to their contact; and the owner gets each viewer added to their contact.

So if you opened these people’s files or if they opened yours that you shared by link, you will have them in your contact list (search).

thanks for your answer. I was worried if that was a data leak.
On the other hand there is nothing that is forcing you to display the email in the UI?
We would then reduce the visibility of sensitive info

Yeah I have the same concerns. Adding to contacts within Figma is fine but there is no reason to show the email.

1 Like

A nice way to keep the UI as is, would be to use different data? Like Role or/and permissions?

1 Like

Oh this is great!

The main issue why the emails are shown in the first place is identification of people, e.g. you can have multiple people with the same name and you would want to only authorize specific ones to access the file. Building on top of the idea shared above, maybe the items could show which items you have in common (why the person is in contacts in the first place) and their email domain name.

image

1 Like

:exploding_head: ship it