[tor-talk] Trac accounts and potential account compromise

Karsten Loesing karsten at torproject.org
Mon May 5 07:27:48 UTC 2014


On 02/05/14 20:34, Nusenu wrote:
>> We learned on recently that there was a bug in our Trac setup that allowed
>> anyone to register a new user account for an existing user name, overwriting
>> the existing user's password and thereby taking over the account [0].
> 
> Has there been an analysis on how many accounts have been compromised
> this way (and their email addresses changed)?

AFAIK, there's no way to find out whether an account has been
compromised, other than asking users to log in and see if their password
still works.

FWIW, we asked a few dozen users with elevated privileges, and none of
them reported that their account has been compromised.

> When was this vulnerability introduced?

Maybe a few months back when upgrading to Trac 1.0/1.0.1?  Erinn might
know better.

>> However, it's still possible that somebody has taken over your account in the
>> past and you didn't notice because you didn't log in recently. We recommend
>> users try to login and if you find you are unable to do so, you can reset your
>> password here: https://trac.torproject.org/projects/tor/reset_password
> 
> Not very helpful if the attacker changed the account's email address ;)

True.  If somebody can't reset their password because their email
address has been changed, we should probably disable the user account
and ask the person to create a new one.

> btw: Was there any specific reason to wait for 10 days after fixing this
> issue before telling tor-talk about it?

Yes.  We first contacted users with elevated privileges in two rounds to
make sure that all those user accounts are legit.  And then we had to
implement a way for users to reset their password.

All the best,
Karsten



More information about the tor-talk mailing list