[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-dev] Trac accounts and potential account compromise



Dear Tor Trac users,

We learned on recently that there was a bug in our Trac setup that allowed
anyone to register a new user account for an existing user name, overwriting
the existing user's password and thereby taking over the account [0].

A workaround was quickly implemented by weasel to prevent new user registration
while we investigated how to re-enable it without encountering this problem
again. Soon after, our configuration was fixed to allow new registrations
without overwriting existing usernames.

However, it's still possible that somebody has taken over your account in the
past and you didn't notice because you didn't log in recently. We recommend
users try to login and if you find you are unable to do so, you can reset your
password here: https://trac.torproject.org/projects/tor/reset_password

We apologize for any inconvenience this may have caused you! Please feel free
to contact me with any questions.

Erinn & the rest of the Tor Trac team

Attachment: signature.asc
Description: Digital signature

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev