[tor-talk] Trac accounts and potential account compromise
Dedalo Galdos
seguridadblanca at gmail.com
Fri May 2 19:47:02 UTC 2014
I reported this like 2 weeks ago (
https://trac.torproject.org/projects/tor/ticket/11545) depends on admins
analysing this issue.
El may 2, 2014 2:41 PM, "Nusenu" <
BM-2D8wMEVgGVY76je1WXNPfo8SrpZt5yGHES at bitmessage.ch> escribió:
> > We learned on recently that there was a bug in our Trac setup that
> allowed
> > anyone to register a new user account for an existing user name,
> overwriting
> > the existing user's password and thereby taking over the account [0].
>
> Has there been an analysis on how many accounts have been compromised
> this way (and their email addresses changed)?
>
> When was this vulnerability introduced?
>
>
> > However, it's still possible that somebody has taken over your account
> in the
> > past and you didn't notice because you didn't log in recently. We
> recommend
> > users try to login and if you find you are unable to do so, you can
> reset your
> > password here: https://trac.torproject.org/projects/tor/reset_password
>
> Not very helpful if the attacker changed the account's email address ;)
>
>
> btw: Was there any specific reason to wait for 10 days after fixing this
> issue before telling tor-talk about it?
>
> --
> tor-talk mailing list - tor-talk at lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>
More information about the tor-talk
mailing list