On 02/05/14 20:34, Nusenu wrote: >> We learned on recently that there was a bug in our Trac setup that allowed >> anyone to register a new user account for an existing user name, overwriting >> the existing user's password and thereby taking over the account [0]. > > Has there been an analysis on how many accounts have been compromised > this way (and their email addresses changed)?
AFAIK, there's no way to find out whether an account has been compromised, other than asking users to log in and see if their password still works. FWIW, we asked a few dozen users with elevated privileges, and none of them reported that their account has been compromised. > When was this vulnerability introduced? Maybe a few months back when upgrading to Trac 1.0/1.0.1? Erinn might know better. >> However, it's still possible that somebody has taken over your account in the >> past and you didn't notice because you didn't log in recently. We recommend >> users try to login and if you find you are unable to do so, you can reset >> your >> password here: https://trac.torproject.org/projects/tor/reset_password > > Not very helpful if the attacker changed the account's email address ;) True. If somebody can't reset their password because their email address has been changed, we should probably disable the user account and ask the person to create a new one. > btw: Was there any specific reason to wait for 10 days after fixing this > issue before telling tor-talk about it? Yes. We first contacted users with elevated privileges in two rounds to make sure that all those user accounts are legit. And then we had to implement a way for users to reset their password. All the best, Karsten -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
