[ADDITION] SMSPool - Virtual Phone Numbers about awesome-privacy HOT 9 OPEN

Hi, thank you so much for your thorough reviews. A lot of our service is built under the support of our users, so I am really happy with the kind words.

Regarding your following points:

API Security

• You can update your API key in case it has been breached or hijacked; although you cannot deactivate it at the moment as a lot of our site's functionality uses the API key, and regarding the API key showing in plaintext; would you have any solution what you'd like to see? Something like; censoring it unless you hover over it?
• That is due to our software restrictions at the moment, although we will keep this in mind once we rewrite our authentication system
• Our API endpoints both support Authorization, GET and POST at the moment.

Other security

• Samesite attribute has been added
• PHP debug messages have ben disabled
• Deleting your account would clear everything in it, deleting individual orders is not possible at the moment

Privacy policy queries

• The vendor (phone carrier) can see the contents of your messages although this would not be linked to the user in any way. All resources, blogs, text remains our exclusive property while the content remains yours.
• Data is retained until you delete your account; although we could add a feature that would purge your data after x days as some users prefer to keep their data in case they need it in the future (we'd love to hear suggestions about this)
• Cookie consent is only requested when we collect personal information (which we don't and will not)
• I've added more context to the data breaches as it'll be announced on the on-site dashboard or on Telegram
• We have added the minimum age requirement to the Terms of Service

General bugs

• We've updated the informative endpoints without post body to be GET, and the retrieve countries by success rate should already be in POST format
• Postman variables are only stored locally, Postman also recommends to store sensitive data in variables
• We will look into adding date localization, we serve everything using PHP at the moment.
• RTL is mainly for languages that read right to left; but for some reason some of our users also prefer it with English.
• It should redirect you automatically now when you clear all sessions
• The news dashboard is only for major news, smaller consistent updates are posted to our Telegram channel which can be found on our contact page
• If you use any type of adblocker it'll block out the rewards page
• The promotions are just for different payment processors, although we are thinking about phasing out the rewards page.
• Fixed the page title of the Privacy Policy

from awesome-privacy.

Please ensure that your ticket has an appropriate title

from awesome-privacy.

If you're enjoying Awesome-Privacy, consider dropping us a ⭐

_{🤖 I'm a bot, and this message was automated}

from awesome-privacy.

Here's some more information about us :)

1. Based in the Netherlands, GDPR and CCPA compliant
2. No website analytics or trackers used
3. Accepts Card, Monero, ZCash, OXEN and more.
4. Only a username and password is required, (no email is required).
5. No KYC
6. No identifiable information such as IP logs and more

from awesome-privacy.

Hey @smspool
Sorry for the late response, I'm looking into SMSPool now...
It looks pretty awesome! Would you be up for submitting a PR? Otherwise I can do so, if you're unable?

from awesome-privacy.

I'm just trying out your service now, and in case it's helpful, below are some minor bugs / issues. Nothing to major, but thought it might be helpful for you.

API Security

• There's no way to deactivate or regenerate your API key. The key is shown in plaintext on several screens, which feels insecure.
• The user's API key is the same key you're using when communicating with the backend. This should be handled with auth tokens on your system, NOT the user's API key.
• The API docs show that the API key is transmitted as part of the request body in form data. Using headers, like the Authorization header would be more secure. Similarly, the endpoints (like rental history, order history, SMS message, etc) which return sensitive data should really, ideally use OAuth tokens or a more secure auth method

Other security

• You're not specifying the samesite attribute when setting cookies. Possibly leaving you vulnerable to xss
• PHP debug messages enabled, they can reveal sensitive info
• No (clear) way to delete items from history

Privacy Policy Queries

• Privacy policy doesn't make it super clear who can or can't see the contents of messages. The ToS mentions that "our entire platform, including but not limited to all information, texts, and images, shall remain our exclusive property", does that mean text message content? Not super clear.
• The privacy policy doesn't mention how long data is retained. It would be useful to know some more specific time frames.
• Policy also says that you "we request your consent before placing such cookies", but no such consent is ever actually asked before cookies are stored
• Privacy policy mentions notifying users about a breach, but given it's possible to signup with an email / contact, where will the breach notification be published? E.g. on the homepage, at a specific URL, somewhere else?
• Similarly, since the privacy policy says you won't possess the data of minors, you should add this to your ToS, as currently there's not point where you agree that you're not under 18/16/13/whatever age.

General minor bugs/ user experience things

• While trying out the API, I noticed that some of the retrival endpoints are using POST method. GET would be more appropriate. Similarly the Content-Type Header is missing from the Postman collection. Also the Retrieve country success rates per service endpoint is GET, but it includes formdata in the body, which (I don't think) is valid/ normal in a GET request.
• In the Postman collection, it prompts you to add your API key as a variable, but doesn't mention any security measures for protecting it
• Date + times are displayed using the server's time, rather than user's time. You could use Date(xxx).toLocaleString to use users device's time, or have a timzone option in settings.
• Also the format for showing date/time (e.g. DD/MM/YYYY or MM/YY/DD) should use local format too. Again, you can fix the format just in JavaScript.
• RTL should be automatic based on language selected, rather than an option in settings (as it breaks everything if you accidentally enable it for English!)
• After clicking Clear all sessions, page isn't redirected
• The news in the Dashboard is quite out-dated (newest entry / top story is Christmas giveaway)
• Rewards screen is blank / nothing loads.
• Feels scammy to have so many rewards, offers, savings, affiliate, 10% off, etc screens all at once
• The page title for Privacy & Cookie Policy is TOS (terms of service) instead of Privacy Policy

Hope some of that's helpful :)

from awesome-privacy.

But awesome work. I love that you don't need to give any contact details when signing up, and that you make paying in crypto easy. And very useful service indeed, I'll sure be using it going forwards :)

from awesome-privacy.

Thanks SO MUCH for going through all that and explaining + fixing. Really appreciate your detailed response.

Would you be up for submitting a pull request for SMSPool's inclusion (link to this ticket in the PR body), or would you like me to do so?

from awesome-privacy.

It's not a problem; your input is always appreciated. And we're always striving to improve! If you could submit the pull request that'd be great, thank you so much for all the suggestions again.

from awesome-privacy.