• State Not Answered
  • Replies 11 replies
  • Subscribers 5 subscribers
  • Views 3923 views
  • Users 0 members are here
Options
Related

Mapshare major sharing security issue?

7743663
over 2 years ago

I just started to use mapshare, and right away it seems to me it is sharing a bunch of stuff that I didn't give it permission to share.

For example, I uploaded to explore maps a bunch of collections... one with waypoints for waterfalls, one with waypoints for trig stations, one with waypoints for weirs. I didn't give them permission to share.

So then I  activated an inreach service, and I shared my mapshare via the tracking screen, and Inreach/SMSed myself a link to the sharing page. On clicking the sharing page, I was surprised to see all these collections of waypoints. The collections containing those waypoints did NOT appear in the "Collections" list, BUT the icons of those waypoints did appear!

So going back to my explore web page, I checked on the status of these collections....  and the "M" is greyed out, indicating they are not shared. I clicked on the "M" to see what happens and it brings up a dialog box listing my collections with checkboxes of which to share. And indeed, those collections are not shared. I toggled one on, saved.. went back to the share web page... The collection appeared under "Collections"... back on the explore web page I toggled it off.. and saved, and then went back to the share page... it disappeared from the list of collections, but the waypoints themselves didn't disappear.

Sure, my list of trig stations and waterfalls is not a state secret, but sharing location data without permission is a big no-no.

Another kind-of related issue, is that the toggles in "collections manager" in the Garmin 66i also don't do anything. They don't remove those collections from the device map, and they don't remove them from the device lists of waypoints and routes. Seems to do nothing at all. Probably an unrelated bug... but then again, maybe not... because it seems like multiple Garmin products have issues removing collections from maps, and the 66i collections manager toggles are similar to the "M" enabling of collections in Explore web site. ( I've got firmware 8.80 (609013) on the 66i and Explore version 3.0 (617602) Android)

  • 0 over 2 years ago

    You should open a support ticket with Garmin for both of these issues so that you can get direct help.

  • 0 over 2 years ago

    Other forum posts mention the problem with the 66i collections manager. I don't have enough data to test that one myself. Probably would be good to open a support ticket as this is likely a f/w bug.

    With regard to MapShare, make sure that the LIBRARY is not visible in MapShare. The library contains EVERYTHING. The other collections are really just indirect references to things in the library. If you make the library visible, it does not matter what you do with the individual collections. It'll all show up in MapShare. 

    As far as I can see, the enable/disable for the library on the Map tab at explore.garmin.com is weird. There is no MapShare "toggle" for the library itself. But each type of item (Waypoints, routes, etc.) has a toggle. But the toggle appears to apply to the library as whole. 

    Bottom line: Be sure that the Library is not visible in MapShare. If it is not, then open a support ticket on this one as well.

  • 0 over 2 years ago in reply to twolpert

    So THAT is the reason why all my waypoints are showing!?!  

    When I try to remove the visibility for the Library, I get the following warning:

    This collection is actively receiving new data from the following devices:

    • inReach Explorer (IMEI: xxxxxxxxxxxxxxx)

    Disabling this collection will hide new data from these devices on MapShare.

    I have never dared making this invisible. Since when I did, I didn't get my tracks visible when I tested in the very beginning of my Explorer+ experience. But maybe I was doing something else that was wrong.

    (MapShare follows a really bizarre kind of logic, in my opinion.) 

  • 0 over 2 years ago in reply to Bob_qx

    where can I open a support ticket?

  • 0 over 2 years ago in reply to 7743663

    Use the buttons at the bottom of this page:

    https://support.garmin.com/en-US/?contactOverride=true&productID=639433&tab=topics

    If offered, you are better off with chat or call (phone). Based on forum traffic, email tends to be black hole. Things go in, but nothing comes out.

    For future reference, start at support.garmin.com. Scroll all the way to the bottom of the page. Click the left sidebar link for "Contact Support". Choose your product from the drop-down list. Click the ">" to the right of the drop-down. This opens the standard support page for the product, but WITH the extra Chat/Call/Email buttons at the bottom.

    IIRC, all three buttons are not always present. Might depend on time of day?

  • 0 over 2 years ago

    I'm reproducing here a comment I made on another thread for those interested. @twolpert... when you say there is no toggle for "Library"... you're not quite right...

    When using "Sync Selection", everything started working as I would expect... If I sync everything in "Sync Selection" by enabling every collection, then the toggling of collections on the 66i starts working as one would expect.

    Thus I would suggest that this is a bug that exists in the "Sync Everything" option. One other thing that makes no sense to me is why Sync Everything doesn't insist on a primary selection, like the Sync Selection does. It seems to forcibly create a "Library" collection to serve this purpose. But that raises the question... what if one is swapping back and forth between Sync Everything and Sync Selection, you have a "Library" collection appearing and disappearing. Seems like a terrible design choice. Also "Library" doesn't seem exactly like a Primary Collection, "Library" includes everything, your primary collection just includes things  you create on the device. This is unnecessarily messy if one was switching between those options.

    I also realised that the mapshare bug I mentioned above does indeed seem to be related to this bug. Once I selected "Sync Selection" on the 66i, and synced, then the explore web site's share page when you click the "M" gained an extra checkbox: "Library", which is effectively a "share all" option. The fact that this checkbox isn't visible when I'm doing "Sync Everything" seems wrong for a lot of reasons. Firstly for the obvious reason that silently sharing all your data without telling you and without letting you turn it off, is a shocking security issue. Secondly, because to me at least, it seems weird that one's explore.garmin.com behavior is so intimately connected to the settings on a particular device that share options depend on how one of your devices is configured. What if one had multiple devices? What if one had no devices? Just seems odd. I think explore.garmin.com shouldn't be so tightly coupled with a particular one of your devices. Thirdly, because the "Library" collection is a collection that forcibly appears on your device when one is using "Sync everything", but "Library" is an option that appears in explore.garmin.com when one is NOT using "Sync everything". Maybe some programmer got his boolean logic reversed? At least be consistent, and have "Library" something that exists on explore.garmin.com when you have "Library" on your device. Though I think the whole idea of "Library" is flawed, the sync everything option should just use a regular collection for its primary collection... even if you call it "Library", and leave there, don't destroy it when changing between sync everything and sync selection, just leave it as your default primary collection.

  • 0 over 2 years ago in reply to twolpert

    Hmm, I entered in a support email, pressed "Send Email" and nothing appeared to happen. Tried it many times, started all over again, it's like the form submits, but you're back to where you were. Seems their web site is as buggy as everything else.

  • 0 over 2 years ago in reply to 7743663

    I'm not making myself clear. Let me try one more time.

    Every "item" (waypoint, track, route, activity, or whatever) is stored EXACTLY one time. That storage IS the Library. Garmin tries to make the library look like an ordinary collection. But it is NOT. By definition, the library contains EVERYTHING. ALL THE TIME.

    A normal collection contains "links" to the items in the library. Each normal collection behaves like a subset of the items in the library. It is perfectly fine for the same item to appear in multiple collections.

    The Garmin ecosystem uses collections for several different things. In particular, collections are used to control sync operations (between the Garmin servers and the device(s). AND they are used to control visibility, both on the devices and on the various web properties (explore.garmin.com, the associated MapShare pages, etc.).  

    With regard to sync, each device has a primary collection which you designate on the Plans & Devices tab at explore.garmin.com. Items generated ON the device are stored in the library (because everything is really stored there) and automatically linked to the primary collection. The data is sent from the device to the servers only by a sync operation (wired or OTA via one of the mobile apps). "Sent" inReach track points are an exception - they are sent via the Iridium satellite network in more or less real time

    Each device may optionally have zero or more "synced" collections. During a sync operation, data from these collections are sent TO the device. Activities are never sent to a device.

    On the Plans & Devices tab at explore.garmin.com, you can choose between syncing "everything" and syncing the primary plus selected "sync-d" collections. This is confusing. I don't actually know what "sync everything" means. Likely it DOES mean syncing the library in both directions (with the proviso that activities are probably not sync-d to any device). But that is not clear. Choosing this option ALSO makes it impossible to designate a primary collection, which is a thing you want to do in most cases.

    Map visibility: Map tab at explore.garmin.com. The library and your various collections in the left sidebar. There are eyeball icons at various levels - user, messages for the user, Library, for each type of item in the library, the collections header, and for each collection. These eyeballs control visibility on the map in front of you. Nothing to do with the device or with MapShare.

    User must be visible to see anything iR related.

    Library must be visible to see any type of item stored within the library - regardless of what other collections the items appear in. If you hide the library, the visibility of other collections does not matter. 

    Similarly, you can show or hide individual item types by using the eyeballs for the item types below the Library. For example, if you hide Waypoints within the library, you will not see waypoints in ANY collection.

    Finally, you can show or hide ALL collections (the collection header) or individual collections (the eyeball for each collection).

    The best way to think about visibility on the map is that visible collections "filter" whatever types are visible from the library.

    Logically, MapShare visibility is controlled at the Library and Collection levels. The icon really should appear in the left sidebar on the main Map page. But it does not.

    For individual collections, click the ">" to show the collection details. MapShare visibility is controlled by the "M" icon on the collection header in the "next" left sidebar.

    For the library as a whole, click the ">" on ANY type row. The M icon in the resulting Library header in the next sidebar opens a pop-up window where you can control MapShare visibility of individual collections AND the library as a whole. You started from a "type" row. That would seem to imply that what your are doing is somehow type-specific. It is not. 

    The bottom line with regard to visibility is that if the Library as a whole is visible in a particular context, everything is visible.

    There is additional filtering available on the Map tab, as well as on MapShare.

  • 0 over 2 years ago in reply to 7743663

    I have never used email because it is a black hole. I suspect that your ticket was actually submitted, but I do not know. You will probably receive an automated acknowledgement at the email you specified if the ticket was opened.

  • 0 over 2 years ago in reply to twolpert

    @toolpert  I understand what you're saying, but have you noticed that if you "Sync Everything" there is an actual collection on your device called "Library"? And yet... Library then disappears from explore.garmin.com? It disappears in two places, both as a category on the left bar, and as a checkbox option when you click the "M" mapshare on a collection. So it appears on the device and disappears on the site. When you "Sync Selection", Library disappears on your device and appears on explore.garmin.com, in the left bar and as an "M" checkbox. Surely this makes no sense.

    If Garmin wants to have a "Library" which includes everything, that's fine, but why have weird inconsistent behavior, why not have it always there. As I was saying, since Library doesn't exist on explore.garmin.com when you Sync Everything, you MUST mapshare ALL your data with the world, because you lose the ability to uncheck "Library" in the "M" menu. It's like Library still exists in some hidden fashion, sharing all your stuff, but not in the UI, so you can't disable its sharing.

    Not to mention that Collection Manager on the device is completely broken when you Sync Everything.