Security Update Applied to Public Applications

Dear App Creators,

We have rolled out a security update on July 2nd, 2020, for "public applications" and "public components" — Zoho Creator applications or their forms, reports, and pages that are made public to all visitors over the Web:

Note: Unless you receive an email from us regarding this, this update does not concern you.
Emails have been sent

About the update

When a user (logged into their Zoho account) accessed a public component, the Deluge system variables zoho.loginuserid and zoho.loginuser were returning the logged-in user's email address and username, respectively. This will no longer happen .

From now on, the new values for these system variables in all public components are:

zoho.loginuser = Public
zoho.loginuserid = null

Please note that this update does not concern the forms, reports, and pages that you've published .

Why the update

This update has been long due. We have now fixed this behavior as it could be misapplied to collect (and use) the end user's personally identifiable information without their consent — a privacy and security vulnerability.

We apologize for any inconvenience this may cause.

Action required

If you've made applications and components public, we request that you check them for the usage of the system variables zoho.loginuser and zoho.loginuserid, and ensure that your application logic remains intact when these variables return Public and null, respectively.

- - - - - - - -

If you have any questions or concerns, of need any assistance, please comment below, or reach out to us at support@zohocreator.com

Best,

The Zoho Creator Team