On Fri 2015-01-23 15:17:19 -0500, Launchpad wrote:

> vovd (vovd) tried to claim the Launchpad
> team named Debian Javascript Maintainers (pkg-javascript-devel-lists) (which 
> is
> associated with pkg-javascript-devel@lists.alioth.debian.org).
> To finish claiming that team, making vovd (vovd)
> its owner, just follow the link below.
>     https://launchpad.net/token/s82RbqGNq9Zn29808FhD

This is a troubling situation.  Launchpad sends this token, but the
owner is a publicly-archived mailing list.

All an attacker needs to do is submit a request to claim the team, then
read the archive to find the token and claim the team.

Should launchpad have a warning against assigning group ownership to a
public mailing list?

fwiw, i've been on the Debian Javascript Maintainers mailing list for
over a year and i've never heard of anyone named vovd.


Pkg-javascript-devel mailing list

Reply via email to