When resetting passwords and once a month in the daily mailing list reminder, I get my password sent to me in plain text, meaning that we don’t hash and salt the passwords. This seems like security issue.
Description
Event Timeline
This ticket is simply not fixable in Mailman 2 afaik. Similar: https://phabricator.wikimedia.org/T59787
Can this be locked to Security or acl*security_team members only? It's not smart to keep such issue available for everyone to see.
Yeah, but you wouldn't want someone malicious to look at this issue and target WM's mailing list to get all those passwords and usernames out, right? I'm not saying that would happen since you need to have some sort of database access, but it could be worse if it was someone inside the Foundation.
Threat-modeling this a bit, I personally think it far more likely that a malicious actor happens across lists.wikimedia.org and sees it's running a preposterously outdated version of Mailman and goes from there, as opposed to finding random, public Phab bugs like this one. The solution here is to upgrade Mailman, which has been discussed for several years now (see: T52864, T97492, T66547, T130554) where the exact issue this task describes has been previously noted (T97492#1243823). The upgrade just needs to be prioritized and scheduled, which can be a very complicated process around here.
Keep in mind these passwords are (mostly?) randomly chosen by mailman not the user, so they are closer to tokens than traditional passwords (doesnt make this less terrible, but adjusts the threat model slightly)