Edgewall Software

Opened 12 years ago

Last modified 12 years ago

#9874 new defect

using a custom query to harvest email addresses

Reported by: Andrew C Martin <andrew.c.martin@…> Owned by:
Priority: normal Milestone: unscheduled
Component: general Version: 0.12dev
Severity: normal Keywords: notification email spam
Cc: Branch:
Release Notes:
API Changes:
Internal Changes:


From ticket:153#comment:93

Again, if you discover any leak of e-mails information remaining for unauthorized users, please create a new ticket.

A malicious user with a little motivation could easily harvest 100's of email addresses from Trac. This can be achieved through custom queries on user-fields, using popular domain names as search criteria.

Example: hotmail.com

By replacing "…" with the domain name in question, full email addresses can be collected from the query results by unauthorized users.

Attachments (0)

Change History (1)

comment:1 by Christian Boos, 12 years ago

Milestone: unscheduled

Well, this is not a leak in the way I meant it in #153: there, I was referring to places missing the obfuscation.

Here you point to a limitation of the obfuscation scheme itself, the fact that you could gather a list of obfuscated e-mail addresses using a custom query is only anecdotal, as one can also imagine the spammer spidering a whole Trac site and looking for all the …@… strings.

So I don't think it's worth special casing this custom query, but OTOH, it might be useful to improve our obfuscation strategy. Suggestions welcome ;-)

Modify Ticket

Change Properties
Set your email in Preferences
as new The ticket will remain with no owner.
The ticket will be disowned.
as The resolution will be set. Next status will be 'closed'.
The owner will be changed from (none) to anonymous. Next status will be 'assigned'.

Add Comment

E-mail address and name can be saved in the Preferences .
Note: See TracTickets for help on using tickets.