[tor-dev] Trac accounts and potential account compromise

Erinn Clark erinn at torproject.org
Fri May 2 02:41:41 UTC 2014

Dear Tor Trac users,

We learned on recently that there was a bug in our Trac setup that allowed
anyone to register a new user account for an existing user name, overwriting
the existing user's password and thereby taking over the account [0].

A workaround was quickly implemented by weasel to prevent new user registration
while we investigated how to re-enable it without encountering this problem
again. Soon after, our configuration was fixed to allow new registrations
without overwriting existing usernames.

However, it's still possible that somebody has taken over your account in the
past and you didn't notice because you didn't log in recently. We recommend
users try to login and if you find you are unable to do so, you can reset your
password here: https://trac.torproject.org/projects/tor/reset_password

We apologize for any inconvenience this may have caused you! Please feel free
to contact me with any questions.

Erinn & the rest of the Tor Trac team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20140501/5f502ef2/attachment.sig>

More information about the tor-dev mailing list