FAQ
The following major security issues also exist:

- If an email account is compromised, an attacker (or even an automated
virus) can easily gather all passwords. This would *NOT* happen if no
reminders were sent, nor would it happen if the classic "answer the
security questions to receive a password reset form" strategy were used.

- Additionally, once the attacker has the dozens of passwords one might
use for various mailman lists, the attack can attempt to use those
passwords on other websites or computer systems (e.g. SSH) in automated
attacks. The most basic attack would merely use the password, but more
sophisticated attacks can use the passwords as seeds in an automated
cracker.
Mark Sapiro: "Are you aware of an attack that would enable this?"
- As the original poster wrote: the password reminders are in plaintext. As far as I know, aren't all email messages sent in plaintext that thus absolutely trivial to eavesdrop on? All the attack would need is a compromised relay on the internet, which I hear is getting more common these days. Just run one of the many network-traffic-monitoring programs and listen for the string "password".

--
privacy hole in password reminder
https://bugs.launchpad.net/bugs/266821
You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.

Search Discussions

  • Mark Sapiro at May 19, 2010 at 1:18 pm
    We know that plain text emailed passwords are a bad idea. This will be
    fixed in MM 3.

    For MM 2.1, as a list member, you can turn off the periodic reminder for
    any list of which you are a member. As a list owner, you can turn off
    all periodic reminders from your lists. As a site admin, you can turn
    off all periodic reminders from the site.

    That leaves only the "request an immediate reminder and intercept the
    email" attack as a vulnerability. The list subscribe form says:

    You may enter a privacy password below. This provides only mild security,
    but should prevent others from messing with your subscription.
    *Do not use a valuable password* as it will occasionally be emailed back to you in cleartext.

    which implies that such a password, even if it is not an autogenerated
    one, is less likely to work in other contexts.

    ** Changed in: mailman
    Importance: Medium => High

    ** Changed in: mailman
    Status: New => Triaged

    ** Changed in: mailman
    Milestone: None => mailman-2.2-3.0

    --
    privacy hole in password reminder
    https://bugs.launchpad.net/bugs/266821
    You received this bug notification because you are a member of Mailman
    Coders, which is subscribed to GNU Mailman.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupmailman-coders @
categoriespython
postedMay 19, '10 at 5:43a
activeMay 19, '10 at 1:18p
posts2
users2
websitelist.org

2 users in discussion

Mark Sapiro: 1 post Mats Ahlgren: 1 post

People

Translate

site design / logo © 2022 Grokbase