Launchpad publishes confidential email adresses
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Launchpad itself |
New
|
Undecided
|
Unassigned | ||
Bug Description
Even if you choose not to publish your email address, you're very likely to find it sooner or later in other people's postings on launchpad. How come?
* Subscribers receive your message by email, as if you had sent an email from your personal address. I don't especially like this, but ok, noone except other launchpad users can see the addresses like this, and it allows private messages.
* The other subscribers can use the reply button of their mail client in order to directly post their reply to launchpad. This is a nice feature, as such.
* But many mail clients include a line such as "[mail address] wrote on [date]" in their replies.
* Now launchpad is not careful enough: It does not filter the incoming messages for confidential email addresses - which it definitely should do.
What should be done concretely:
A.
* Every incoming posting should be scanned for email addresses.
* Every email address that's found should be checked against the central list of email addresses.
* If it is found, but not declared to be public, it must be removed. If it is not found at all, it must be removed, too. I.e. it can only be kept in the text if it is known to be public. Removed addresses can be replaced by a place holder ("email address removed according to privacy settings" or so).
B.
All existing threads should be treated in the same way. There must be myriads of good-quality mail addresses on launchpad.net
Fixing this bug (or adding this feature, if you like) is an important contribution to the reduction of spam, phishing mails and the like. In a broader sense this means the bug is a security vulnerability, so I flag it accordingly.
This is not a duplicate of bug # 388843 that was closed because the reporter did not find the published addresses any more.
| visibility: | private → public |
