Launchpad itself

Bug #262193
Comment #11

Comment 11 for bug 262193

Revision history for this message

Yagisan (yagisan) wrote on 2008-11-12:

#11

> We do send mail when someone sets this information.

This is not good enough Mark. People should NOT be able to change MY profile. I registered, I set what information I want to disclose, that I feel is required. NOT some random stranger.

> Saying "nobody should provide information about me" is tantamount to saying "nobody should edit a wikipedia page about me".

No - I'm saying no one but the owner of the profile can edit it. This is not a wikipedia page, it is a registered users profile. Why not let random strangers upload a pgp/gpg key claiming it is the account holders ? You allowed them to edit the account holders profile. How about editing memberships ? email addresses ? - Why is it ok for random strangers to able able to edit parts of my profile at all ?

> The system is designed to encourage people to organise teams both virtually and physically, and hence we allow people to say who they have in a team and where those people are.

I provide more than enough information to contact me virtually should people need to. It has never stopped anyone from working with me. A select few of your employees and MOTU also know my phone number and how to contact me in person. The difference is I chose to provide that information to those people.

I did not choose for someone else to edit my profile.

> We do specifically recommend that folks not disclose home addresses, but simply approximate location accurately enough to get time zones right.

So ? How is allowing a complete stranger to edit my profile a good thing ?

> More importantly, we lock the data when the user provides it themselves.

I never choose to provide that data. locking it after the fact is a moot point. It should not have been able to be modified by someone other than the launchpad account holder..

Frankly, given how I feel about this bug, and with references to how I've contributed to Ubuntu in the past, I'll start you off on how I think you should treat this.

===========================================================
Ubuntu Security Notice USN-670-1 November 12, 2008
Launchpad Information Disclosure Vulnerability
https://bugs.launchpad.net/bugs/262193
===========================================================
A flaw has been discovered in the launchpad bug tracking system, where unauthorised third parties
may edit portions of a registered users profile without their consent. This affects all users that have
not chosen to display their location on their profile.

When contacted about this vulnerability, Canonical claimed that was by design. Users are advised to
discontinue use until the vendor rectifies this vulnerability.

Users that must continue to use launchpad have been advised a workaround exists by setting a
false location, or by selecting a setting announcing that you wish to hide that information.

> We do send mail when someone sets this information.

This is not good enough Mark. People should NOT be able to change MY profile. I registered, I set what information I want to disclose, that I feel is required. NOT some random stranger.

> Saying "nobody should provide information about me" is tantamount to saying "nobody should edit a wikipedia page about me".

> The system is designed to encourage people to organise teams both virtually and physically, and hence we allow people to say who they have in a team and where those people are.

I did not choose for someone else to edit my profile.

> We do specifically recommend that folks not disclose home addresses, but simply approximate location accurately enough to get time zones right.

So ? How is allowing a complete stranger to edit my profile a good thing ?

> More importantly, we lock the data when the user provides it themselves.

I never choose to provide that data.  locking it after the fact is a moot point. It should not have been able to be modified by someone other than the launchpad account holder..

Frankly, given how I feel about this bug, and with references to how I've contributed to Ubuntu in the past, I'll start you off on how I think you should treat this.

===========================================================
Ubuntu Security Notice USN-670-1          November 12, 2008
Launchpad Information Disclosure Vulnerability
https://bugs.launchpad.net/bugs/262193
===========================================================
A flaw has been discovered in the launchpad bug tracking system, where unauthorised third parties
may edit portions of a registered users profile without their consent. This affects all users that have
not chosen to display their location on their profile.

When contacted about this vulnerability, Canonical claimed that was by design. Users are advised to
discontinue use until the vendor rectifies this vulnerability.

Users that must continue to use launchpad have been advised a workaround exists by setting a
false location, or by selecting a setting announcing that you wish to hide that information.