On Fri 2015-01-23 15:17:19 -0500, Launchpad wrote:

> vovd (vovd) tried to claim the Launchpad
> team named Debian Javascript Maintainers (pkg-javascript-devel-lists) (which 
> is
> associated with pkg-javascript-devel@lists.alioth.debian.org).
>
> To finish claiming that team, making vovd (vovd)
> its owner, just follow the link below.
>
>     https://launchpad.net/token/s82RbqGNq9Zn29808FhD

This is a troubling situation.  Launchpad sends this token, but the
owner is a publicly-archived mailing list.

All an attacker needs to do is submit a request to claim the team, then
read the archive to find the token and claim the team.

Should launchpad have a warning against assigning group ownership to a
public mailing list?

fwiw, i've been on the Debian Javascript Maintainers mailing list for
over a year and i've never heard of anyone named vovd.

     --dkg

_______________________________________________
Pkg-javascript-devel mailing list
Pkg-javascript-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel

Reply via email to