launchpad leaks private email addresses when sending mail

There appears to be a column for this in the database (hide_email_addresses).

Bug 107973 raises this issue, but refers specifically to commit messages.

Are there any other bugtrackers that allow this?

I first read this bug as "there is no option to complete hide email addresses". However there is an option cleverly hidden on https://launchpad.net/~<user>/+edit

Rob, does this bug refer to the existence of the option or to its effect?

I have hidden my address using the above option, but it gets exposed when people quote my comments using an e-mail client. An example is bug #122163.

if launch pad had a in built message system like facebook then users would never need to publish their e-mail addresses.

If someone files a bug, and one of the subscribers is a mailing list, that person's email address becomes recorded in the mailing list's archive and is crawlable, albeit in the name AT domain dot tld format.

For example: bug 235993 ended up archived at https://lists.ubuntu.com/archives/ubuntu-bluetooth/2008-May/001293.html

This has led to one very annoyed Launchpad user emailing me to ask why Launchpad has sent his email address to a mailing list.

Given that if we recognize the email address in a revision we now present a link to the person instead of showing the address, I think the launchpad-bazaar part of this is fixed.

So to solve this for bugmail, we'd need to set up a reflector email address that was @launchpad.net but which forwarded to the original reporter. I believe there's already a bug report requesting this against Malone -- something like <email address hidden> -- once that was available, fixing this bug would only involve using that email address as the From: address before sending out bugmail.

If this happens elsewhere in Launchpad, I think a more specific bug should be opened -- this bug is a bit too generic.

On Sat, Aug 16, 2008 at 01:56:47PM -0000, Christian Reis wrote:
> So to solve this for bugmail, we'd need to set up a reflector email
> address that was @launchpad.net but which forwarded to the original
> reporter. I believe there's already a bug report requesting this against
> Malone -- something like <email address hidden> -- once that
> was available, fixing this bug would only involve using that email
> address as the From: address before sending out bugmail.

This only works for the bug reporter. What about other people who
comment on the bug? I'd suggest simply using <email address hidden>
instead. Not quite the same, but should work in most cases, and is a lot
easier to implement.

Oh, I see. You're suggesting mangling the sender's email address to the actual bug number in the cases in which he has hidden his email address. That's a smart idea!

Do you think people will be confused that some bugs' From contains the bug number and others an email address? Could we mitigate that by adding a note to the email?

On Mon, Aug 18, 2008 at 11:31:40AM -0000, Christian Reis wrote:
> Do you think people will be confused that some bugs' From contains the
> bug number and others an email address? Could we mitigate that by adding
> a note to the email?

I don't think they will be too confused. I don't think that many people
pay attention to the e-mail address. I'd rather add a note to the
From header, than in the e-mail itself. For example:

From: Bjorn Tillenius (real e-mail address hidden) <email address hidden>

On Mon, 2008-08-18 at 14:36 +0000, Björn Tillenius wrote:
> On Mon, Aug 18, 2008 at 11:31:40AM -0000, Christian Reis wrote:
> > Do you think people will be confused that some bugs' From contains the
> > bug number and others an email address? Could we mitigate that by adding
> > a note to the email?
>
> I don't think they will be too confused. I don't think that many people
> pay attention to the e-mail address. I'd rather add a note to the
> >From header, than in the e-mail itself. For example:
>
> From: Bjorn Tillenius (real e-mail address hidden)
> <email address hidden>

Could just do this always, as an 'anti spam' feature; and let people
click through the person in launchpad to find the actual sender.

-Rob
--
GPG key available at: <http://www.robertcollins.net/keys.txt>.

We just received a feedback email on this topic where someone's private email was exposed in a reply to a bugmail.

Yeah, I commented on this one year ago (see comment 5).

Unfortunately I won't submit any further defect on launchpad until this gets fixed. I really like Ubuntu and would like to improve its quality through submitting bug reports. However this is not worth the effort of changing my Email address on a monthly base.

Suddenly I got spamed at my private email address, which I had to change some months ago. I submitted a defect (bug #265065) and my email address got published on nabble.com (http://www.nabble.com/-Bug-265065---NEW--Subversion-1.5.1-does-not-work-with-SSL-certificates-td19331874.html). Until then I have received not a single SPAM message to this email address.

Hello,
there is a webpage, www.emailhide.org, that encrypts your email address in a secure manner. All you nedd to do is type in your email address and is returned html code with a link with your encrypted email. I've tried and now i use it everytime. There's also a automatic gen for webmasters. Check it out.

How shall this help, when you have to enter an email address to sign up at launch pad and when the same email address is used here? I got a notification about your new posting and I have your gmail.com address. So this is obviously also of no use for you ;-)

well that's true. This only works for protecting after the register form on a website. But either way you have to agree that, by using the encryption method on that site, it turns a bit more difucult for a spam bot to retrieve your email on a forum or a blog.

Other parts of Launchpad send email using addresses of the form Bjorn suggested in comment 13, e.g. <email address hidden>. Bugs could do the same and I concur with Robert that they always should.

If we give users an option to 'hide my email address' then we should honor the expectation that gives them, that we will not reveal it.

I agree that finding a solution for the future is a central task here. But I also request Launchpad to asap remove the quite many copies of my email address from the existing postings. Maybe I'm naïve, but in my opinion this should not be too difficult. Something like
s/\w.*?@\w.*?\.\w.*?/(email address removed for reasons of privacy/
should do the job, shouldn't it?* It could be applied to all existing posts and to all new messages from tomorrow.

Please increase this bug's importance. It is not at all low. Launchpad pretends to take my concerns seriously by offering me to hide my email address, but it does not fulfil its promise. I'm disappointed.

*) The regex is obviously not yet ok, it's just an example. For instance, it would miss <email address hidden> because of the two points. But don't worry, there must be THE very sophisticated regex-to-catch-them-all out there, that no email address ever escaped.

Ahem, my regex example is extremely not ok :-) But you get my point: Take a valid expression and remove all the email addresses. Thank you!

Please don't start falsifying email addresses even for users that disclose them. That breaks things if I ever want to send an out-of-bug reply, breaks filtering, and is generally unproductive.

Christoph, did you know that email addresses in comments are already filtered? Only authenticated users can see them.

William, no, I did not know email addresses are not visible when your not logged in. At first, it sounds very clever to me. But then... it's quite a weak protection:

If I earned my living spamming your inboxes, I would make a business out of having some hundreds of "authenticated" forum identities everywhere on the internet. There I would collect high-quality email addresses and sell them for good money.

About your two main concerns:
> That breaks things if I ever want to send an out-of-bug reply,
As far as I have understood, people are discussing technical solutions that should allow you to do exactly that.

> breaks filtering
If the user name is displayed (e.g. "Christoph <email address hidden>"), you can use the name as a filter instead of the email address.

Last, but not least, a question: Why not just completely hide all undisclosed email addresses and offer a mail form on the webpage for private messages? That's a solution you can see often. For my needs it would be perfectly fine. You could include a checkbox in the form "disclose my email address to the recipient" that's checked by default.

2009/8/22 Christoph <email address hidden>:
> Last, but not least, a question: Why not just completely hide all
> undisclosed email addresses and offer a mail form on the webpage for
> private messages? That's a solution you can see often. For my needs it
> would be perfectly fine. You could include a checkbox in the form
> "disclose my email address to the recipient" that's checked by default.

I think this is a separate but reasonable feature request.

At the moment Launchpad's policy is: your address should be visible to
other authenticated users. You could ask for another level that it's
not visible at all and only Launchpad will send you mail. On the
other hand maybe you should just register from a disposable address,
then you don't need to even trust lp.

--
Martin <http://launchpad.net/~mbp/>

Please do increase the priority of this security related bug.
(It increases the exposure to email exploids in spam/malware and initiates it for prior private adresses.)

Launchpad is not delivering when it claims to "Hide my email addresses from other Launchpad users". It actually always sends it to other users and often times directly into public archives.

I'm invalidating the task against "Launchpad itself." This is specifically a Malone issue now, unless discovered otherwise in the codebase, and the "Launchpad itself" project is a general project that we don't keep bugs filed against (because they'd just get lost).

More than malone sends email: lp-code does, translations does, soyuz
does. So I disagree that its malone specific ;)

-Rob

2010/1/27 Robert Collins <email address hidden>:
> More than malone sends email: lp-code does, translations does, soyuz
> does. So I disagree that its malone specific ;)
>

Ah; I misunderstood - there's a Fix Released task for lp-code...

Anyway, if we've got specific cases of this bug for other LP
components, we should retarget the "Launchpad itself" task to that
component and then add more as required. Part of the problem is that
we don't have a grand unified mail sending utility. Maybe that's the
best way to fix this.

I am agreed with Graham that we should target the specific components of Launchpad that still have this issue.

Also, we will upgrade the importance of this bug when we focus on email and notifications. We haven't had the discussions in Launchpad planning and strategy to get this schedule yet, but I hope that we will do a story around email sooner rather than later.

Should this bug be marked as a security vulnerability?

Why?

Because the setting "Hide my email addresses from other Launchpad users" has no effect in emails sent by Launchpad.

That's not a good reason to *hide this bug report from users*. If
anything, its a reason to make it visible so users know that this is
the case, until its fixed.

Thanks for increasing this bug's priority.

It may make sense to fix this at the same time as bug 31586 and bug 138592.

Fixed in stable r10999 <http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/10999>

While it's great that this bug got fixed, it breaks the sole programmatic way of going from an email bug comment to the launchpad id of the person making the comment. The commenter may not be the reporter of the bug,so the recently added X-Launchpad-Bug-Reporter header doesn't apply and the X-Launchpad-Bug-Commenters header gives the launchpad id of *all* the commenters on a bug report, not distinguishing the id of the person making this specific comment. I've filed bug 605340 with more details.