privacy hole in password reminder
Bug #266821 reported by
Dmvianna-users
This bug report is a duplicate of:
Bug #265179: Security hole: passwords mailed in clear.
Edit
Remove
This bug affects 5 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
GNU Mailman |
Triaged
|
High
|
Unassigned |
Bug Description
Mailman sends me password reminders in plain text. I
can disable this feature, but other users can manually
make it send a reminder just as if I had forgot the
password, with no other question being asked. If smart
enough to intercept that message, the attacker could:
1) Get my password;
2) get my IP in the mail header.
Possible solutions:
1) Some sites and programs use a "secret question"
which right answer would give the user the chance to
get a password reminder.
2) The password could be prompted in a secure html
page. I find this safer, as compared to plain text mails.
[http://
To post a comment you must log in.
I'm not sure what IP you think would be in the email header
that isn't already publicly available via a DNS query of
your email domain, or why you think even that IP would be in
the header of an intercepted mail.
Also, when you say "If smart enough to intercept that
message", are you aware of an attack tht would enable this,
or are you just concerned that it could happen.
Finally, password reminders will go away in Mailman 2.2.
We'll try to keep your concern in mind as we work on their
replacement.