I recently had the experience of a guest user gaining unauthorized access to my account when I inadvertently forwarded an internal proof notification.
Support explained the following: "From what you are saying it sounds like those users are getting your routing link through a forwarded email, and they aren't noticing that it's logging them in as you. The URL attached to those emails is linked to your credentials for that proof, so anyone who follows the link will be entered into the proof as you. There is a setting on each proof to change that behavior by requiring users to log in to the proof, that will prevent people who ended up with your personalized link from making changes as you. This will, however, prevent unlicensed users from accessing the proof. If all of your work is done internally and you don't have to have guest users, and external users access the proof then this would be the best route. If you do need external users to have access then it would be best to not forward notification emails from proof, as they contain that personalized link."
Would be possible in a future update to close this loophole by somehow referencing IP Addresses to block this type of access to guest users?
