Hi,
A bug has been identified and *fixed* in the OAuth-based authentication code used on the Python bug tracker bugs.python.org (BPO) to log in with GitHub, Launchpad or Google. Under some conditions, it was possible to be logged as another person account. We are only aware of a single user affected by the issue. We are not aware of any account takeover.
All bugs at bugs.python.org are public: being logged as the wrong account cannot give access to private bugs. The main risk is if an attacker could be logged as an administrator (the "Coordinator" role) which allows to change the bug tracker configuration and to change accounts (add/remove roles, see/change the email address, etc.). We are not aware of any abuse.
All OAuth accounts have been removed in the database to fully fix the issue. Users using OAuth-based authentication must associate again (once) their GitHub, Launchpad or Google account with their BPO account.
A BPO account contains the following information: Name, Login Name, GitHub Name, Organisation, Timezone, Homepage, Contributor Form Received, Is Committer, E-mail address, Alternate E-mail addresses. All fields but Name and Timezone are hidden to other accounts, only coordinators can see all fields of other accounts. You can check in the "Your Details" page for the your account change log.
Thanks Ammar Askar, Berker Peksağ and Ee Durbin who fixed the bug!
Source code of bugs.python.org (Roundup fork): https://github.com/psf/bpo-tracker-cpython
The OAuth-based authentication is an extension written for bugs.python.org. The bug report and its fix:
- https://github.com/python/bugs.python.org/issues/64
- https://github.com/psf/bpo-tracker-cpython/commit/0a32e072aafca20c0bf51cf16f...
Report issues with bugs.python.org: https://github.com/python/bugs.python.org/issues
To report sensitive issues, write to: security@python.org
Victor
Night gathers, and now my watch begins. It shall not end until my death.