Page MenuHomePhabricator

Stop storing Mailman passwords in plain text
Open, HighPublicSecurity

Description

When resetting passwords and once a month in the daily mailing list reminder, I get my password sent to me in plain text, meaning that we don’t hash and salt the passwords. This seems like security issue.

Event Timeline

Josve05a created this task.Dec 1 2017, 1:36 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 1 2017, 1:36 PM
Josve05a updated the task description. (Show Details)
Josve05a updated the task description. (Show Details)

Maybe this could be resolved with T52864?

Reedy added a subscriber: Reedy.Dec 1 2017, 2:20 PM

It's a very well known problem in Mailman 2

This ticket is simply not fixable in Mailman 2 afaik. Similar: https://phabricator.wikimedia.org/T59787

Legoktm renamed this task from Stop storing passwords in plain text to Stop storing Mailman passwords in plain text.Dec 1 2017, 4:32 PM
He7d3r added a subscriber: He7d3r.Feb 2 2018, 11:59 AM
Reedy triaged this task as High priority.Feb 12 2018, 10:27 AM
Reedy moved this task from Backlog / Other to Operational issues on the acl*security board.
Restricted Application added a project: Operations. · View Herald TranscriptAug 10 2018, 10:17 AM
kolbert added a subscriber: kolbert.Aug 3 2019, 7:04 PM
Josve05a moved this task from Backlog to Continue to complain about on the User-Josve05a board.
Josve05a added a project: Privacy.
Josve05a changed the subtype of this task from "Task" to "Security Issue".Nov 8 2019, 9:23 PM
Krenair added a subscriber: Krenair.Nov 8 2019, 9:23 PM
Apap04 added a subscriber: Apap04.Nov 14 2019, 4:05 AM

Can this be locked to Security or acl*security_team members only? It's not smart to keep such issue available for everyone to see.

Its kind of obvious when mailman keeps sending people monthly password reminders

Its kind of obvious when mailman keeps sending people monthly password reminders

Yeah, but you wouldn't want someone malicious to look at this issue and target WM's mailing list to get all those passwords and usernames out, right? I'm not saying that would happen since you need to have some sort of database access, but it could be worse if it was someone inside the Foundation.

Yeah, but you wouldn't want someone malicious to look at this issue and target WM's mailing list to get all those passwords and usernames out, right? I'm not saying that would happen since you need to have some sort of database access, but it could be worse if it was someone inside the Foundation.

Threat-modeling this a bit, I personally think it far more likely that a malicious actor happens across lists.wikimedia.org and sees it's running a preposterously outdated version of Mailman and goes from there, as opposed to finding random, public Phab bugs like this one. The solution here is to upgrade Mailman, which has been discussed for several years now (see: T52864, T97492, T66547, T130554) where the exact issue this task describes has been previously noted (T97492#1243823). The upgrade just needs to be prioritized and scheduled, which can be a very complicated process around here.

Keep in mind these passwords are (mostly?) randomly chosen by mailman not the user, so they are closer to tokens than traditional passwords (doesnt make this less terrible, but adjusts the threat model slightly)

JFishback_WMF moved this task from Intake to Backlog on the Privacy board.Thu, Mar 12, 1:12 AM