[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Trac accounts and potential account compromise

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Trac accounts and potential account compromise
From: Nusenu <BM-2D8wMEVgGVY76je1WXNPfo8SrpZt5yGHES@xxxxxxxxxxxxx>
Date: Fri, 02 May 2014 18:34:04 +0000
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 02 May 2014 14:41:43 -0400
Dkim-signature: v=1; a=rsa-sha256; d=bitmessage.ch; s=mail; c=relaxed/relaxed; q=dns/txt; h=From:Subject:Date:Message-ID:To:MIME-Version:Content-Type:Content-Transfer-Encoding:In-Reply-To:References; bh=XWQbk/4aT4PB/nr+6+fni9VhCXC61JOFzyxo/CdDHPw=; b=Y5JRGIs6mrjfEKLxMhsqdG0erF9if0bKjduwKhBxULtW7jO+V+5EZd5WZyiqMMLE0sHhQc88tdIjnePTyw66GcBSdn9aUA5q/YR0E7nCJnIr7FEfsHe2GPfDQM+bEDP7wajsWPZQGL+YTdge/PkFks1Z1DY4bNzso7K8H1QpqxU=
In-reply-to: <20140502024141.GK19193@xxxxxxxxxxxxxxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <20140502024141.GK19193@xxxxxxxxxxxxxxxxxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>

> We learned on recently that there was a bug in our Trac setup that allowed
> anyone to register a new user account for an existing user name, overwriting
> the existing user's password and thereby taking over the account [0].

Has there been an analysis on how many accounts have been compromised
this way (and their email addresses changed)?

When was this vulnerability introduced?


> However, it's still possible that somebody has taken over your account in the
> past and you didn't notice because you didn't log in recently. We recommend
> users try to login and if you find you are unable to do so, you can reset your
> password here: https://trac.torproject.org/projects/tor/reset_password

Not very helpful if the attacker changed the account's email address ;)


btw: Was there any specific reason to wait for 10 days after fixing this
issue before telling tor-talk about it?

-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] Trac accounts and potential account compromise
  - From: Dedalo Galdos
- Re: [tor-talk] Trac accounts and potential account compromise
  - From: Karsten Loesing

References:
- [tor-talk] Trac accounts and potential account compromise
  - From: Erinn Clark

Prev by Author: Re: [tor-talk] Unimportant Error in FAQ
Next by Author: Re: [tor-talk] Orbot v14 alpha: obfsclient, Tor 0.2.5.3-alpha
Previous by thread: Re: [tor-talk] Trac accounts and potential account compromise
Next by thread: Re: [tor-talk] Trac accounts and potential account compromise
Index(es):
- Author
- Thread