[tor-talk] Trac accounts and potential account compromise
Nusenu
BM-2D8wMEVgGVY76je1WXNPfo8SrpZt5yGHES at bitmessage.ch
Fri May 2 18:34:04 UTC 2014
> We learned on recently that there was a bug in our Trac setup that allowed
> anyone to register a new user account for an existing user name, overwriting
> the existing user's password and thereby taking over the account [0].
Has there been an analysis on how many accounts have been compromised
this way (and their email addresses changed)?
When was this vulnerability introduced?
> However, it's still possible that somebody has taken over your account in the
> past and you didn't notice because you didn't log in recently. We recommend
> users try to login and if you find you are unable to do so, you can reset your
> password here: https://trac.torproject.org/projects/tor/reset_password
Not very helpful if the attacker changed the account's email address ;)
btw: Was there any specific reason to wait for 10 days after fixing this
issue before telling tor-talk about it?
More information about the tor-talk
mailing list