[Pkg-javascript-devel] Launchpad: Claim existing team
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Fri Jan 23 21:34:23 UTC 2015
On Fri 2015-01-23 15:17:19 -0500, Launchpad wrote:
> vovd (vovd) tried to claim the Launchpad
> team named Debian Javascript Maintainers (pkg-javascript-devel-lists) (which is
> associated with pkg-javascript-devel at lists.alioth.debian.org).
>
> To finish claiming that team, making vovd (vovd)
> its owner, just follow the link below.
>
> https://launchpad.net/token/s82RbqGNq9Zn29808FhD
This is a troubling situation. Launchpad sends this token, but the
owner is a publicly-archived mailing list.
All an attacker needs to do is submit a request to claim the team, then
read the archive to find the token and claim the team.
Should launchpad have a warning against assigning group ownership to a
public mailing list?
fwiw, i've been on the Debian Javascript Maintainers mailing list for
over a year and i've never heard of anyone named vovd.
--dkg
More information about the Pkg-javascript-devel
mailing list