Published: Friday, 30 January 2015 23:33
Written by Ben Tasker
This issue is, by no means, Joomla specific - but Joomla's mass mail functionality provides a good example of what can go wrong.
The expectation that most users have, is that the list of recipients BCC'd on an email will never be visible to any of those recipients.
Unfortunately, whether or not that's the case may well depend on the Mail Transport Agent (MTA) that you are using.
Those familiar with Joomla's Mass Mail feature will know that by default, recipients are BCC'd - unfortunately, if you're using Exim (which most CPanel servers, for example, are) then you may in fact find that those receiving your message can see exactly who it was sent to.
Whether or not this BCC Leak is visible to the recipients will depend on what mail client they use (assuming they're not in the habit of looking at the mail headers anyway....), but those using Google Apps/Google Mail will have the list clearly presented to them when viewing the mail.