Emails and Activities Possible Security Warning

Feature requests
,
1

Sharing some info in case someone else finds themselves in a similar situation.

When using Emails and Activities and with an email column for automations (with email added), you can see the full inbox of other users if their email is in the email column. I’ve been discussing this as an issue with support for over a month. I have been told this is working as intended, but it is a huge security issue as you can see your co-workers emails.

I’ll detail few experiences below. I also found this thread discussing some related challenges, but doesn’t specifically mention the email column.

I mention again that m.c support said this is working as intended. But, at this time we won’t be able to use it because of the security risk of any employee being able to read any other connected employee’s emails.

Four Scenarios I tested:

ONE - When Emails and Activities is active
AND email address IS present in the items email column
AND sharing set to ‘everyone’

  1. When clicking to “Emails and Activities” the browser will go unresponsive for 20-45 sec (sometimes crash altogether)
  2. When browser is responsive again, all m.c dashboard, items, views everything is blank
  3. If my personal email address is in the email column I can see my entire inbox (over 800+ emails)
  4. If a coworkers email address in the email column AND they have NOT connected E&A+email - I can see any emails we were both participants in only
  5. If a coworkers email address in the email column AND they HAVE connected E&A+email - I can see ALL of their emails whether I was included as a recipient or not

TWO - When Emails and Activities is active
AND email address IS present in the items email column
AND sharing set to ‘just me’

  1. When clicking to “Emails and Activities” the browser will go unresponsive for 20-45 sec (sometimes crash altogether)
  2. When browser is responsive again, all m.c dashboard, items, views everything is blank
  3. If my personal email address is in the email column I can see my entire inbox (over 800+ emails)
  4. If a coworkers email address in the email column AND they have NOT connected E&A+email - I can see any emails we were both participants in only
  5. If a coworkers email address in the email column AND they HAVE connected E&A+email - I can see ALL of their emails where I was included or not NOTE even set to ‘just me’ emails are still visible

THREE - When Emails and Activities is active
AND email address is NOT present in the items email column
AND sharing set to ‘everyone’

  1. When clicking to “Emails and Activities” the browser does NOT go unresponsive
  2. M.c dashboard remains visible and functions as expected
  3. Only emails sent in response to specific item are visible - NOT entire inbox as stated in case one and two
  4. Coworkers that have NOT connected E&A+email - can see any emails related to specific item only (NOT entire inbox)
  5. Coworkers that HAVE connected E&A+email - can see any emails related to specific item only (NOT entire inbox)

FOUR - When Emails and Activities is active
AND email address is NOT present in the items email column
AND sharing set to ‘just me’

  1. When clicking to “Emails and Activities” the browser does NOT go unresponsive
  2. M.c dashboard remains visible and functions as expected
  3. Only emails sent in response to specific item are visible - NOT entire inbox as stated in case one and two
  4. Coworkers that have NOT connected E&A+email - do NOT see any emails
  5. Coworkers that HAVE connected E&A+email - do NOT see my emails but can see their own (with ‘just me’ set for themselves)
2

@Audiomutt, I know I’m months behind in finding this discussion, but I would like to clarify-- were the messages being sent by you and/or your coworker being sent from within the Monday.com E&A app, or are they being sent from your regular inbox-- Gmail, Outlook, etc?
Have you found any, or created any, guidelines or workarounds that allow your team to use the app ‘safely’?