Modify ↓
Opened 15 years ago
Last modified 15 years ago
#9874 new defect
using a custom query to harvest email addresses
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | normal | Milestone: | unscheduled |
| Component: | general | Version: | 0.12dev |
| Severity: | normal | Keywords: | notification email spam |
| Cc: | Branch: | ||
| Release Notes: | |||
| API Changes: | |||
| Internal Changes: | |||
Description
Again, if you discover any leak of e-mails information remaining for unauthorized users, please create a new ticket.
A malicious user with a little motivation could easily harvest 100's of email addresses from Trac. This can be achieved through custom queries on user-fields, using popular domain names as search criteria.
Example: hotmail.com
By replacing "…" with the domain name in question, full email addresses can be collected from the query results by unauthorized users.
Attachments (0)
Note:
See TracTickets
for help on using tickets.
Well, this is not a leak in the way I meant it in #153: there, I was referring to places missing the obfuscation.
Here you point to a limitation of the obfuscation scheme itself, the fact that you could gather a list of obfuscated e-mail addresses using a custom query is only anecdotal, as one can also imagine the spammer spidering a whole Trac site and looking for all the …@… strings.
So I don't think it's worth special casing this custom query, but OTOH, it might be useful to improve our obfuscation strategy. Suggestions welcome ;-)