[Bug 266821] Re: privacy hole in password reminder
266821 at bugs.launchpad.net
Mon Oct 1 22:51:48 CEST 2012
*** This bug is a duplicate of bug 265179 ***
Are you aware that the bug you made this a duplicate of is marked as
On Tue, Oct 2, 2012 at 6:49 AM, Mark Sapiro <mark at msapiro.net> wrote:
> *** This bug is a duplicate of bug 265179 ***
> ** This bug has been marked a duplicate of bug 265179
> Security hole: passwords mailed in clear
> You received this bug notification because you are subscribed to the bug
> privacy hole in password reminder
> Status in GNU Mailman:
> Bug description:
> Mailman sends me password reminders in plain text. I
> can disable this feature, but other users can manually
> make it send a reminder just as if I had forgot the
> password, with no other question being asked. If smart
> enough to intercept that message, the attacker could:
> 1) Get my password;
> 2) get my IP in the mail header.
> Possible solutions:
> 1) Some sites and programs use a "secret question"
> which right answer would give the user the chance to
> get a password reminder.
> 2) The password could be prompted in a secure html
> page. I find this safer, as compared to plain text mails.
> To manage notifications about this bug go to:
** Bug watch added: SourceForge.net Tracker #1441723
You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.
privacy hole in password reminder
To manage notifications about this bug go to:
More information about the Mailman-coders