[Bug 266821] Re: privacy hole in password reminder

[trampster]

*** This bug is a duplicate of bug 265179 ***
    https://bugs.launchpad.net/bugs/265179

Are you aware that the bug you made this a duplicate of is marked as
invalid.

On Tue, Oct 2, 2012 at 6:49 AM, Mark Sapiro <mark at msapiro.net> wrote:

> *** This bug is a duplicate of bug 265179 ***
>     https://bugs.launchpad.net/bugs/265179
>
> ** This bug has been marked a duplicate of bug 265179
>    Security hole: passwords mailed in clear
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/266821
>
> Title:
>   privacy hole in password reminder
>
> Status in GNU Mailman:
>   Triaged
>
> Bug description:
>   Mailman sends me password reminders in plain text. I
>   can disable this feature, but other users can manually
>   make it send a reminder just as if I had forgot the
>   password, with no other question being asked. If smart
>   enough to intercept that message, the attacker could:
>
>   1) Get my password;
>   2) get my IP in the mail header.
>
>   Possible solutions:
>
>   1) Some sites and programs use a "secret question"
>   which right answer would give the user the chance to
>   get a password reminder.
>
>   2) The password could be prompted in a secure html
>   page. I find this safer, as compared to plain text mails.
>
>   [
> http://sourceforge.net/tracker/index.php?func=detail&aid=1441723&group_id=103&atid=350103
> ]
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/mailman/+bug/266821/+subscriptions
>


** Bug watch added: SourceForge.net Tracker #1441723
   http://sourceforge.net/support/tracker.php?aid=1441723

-- 
You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.
https://bugs.launchpad.net/bugs/266821

Title:
  privacy hole in password reminder

To manage notifications about this bug go to:
https://bugs.launchpad.net/mailman/+bug/266821/+subscriptions