[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [eclipse.org-architecture-council] Auto-generated emails containing secure information received
|
> I am surprised that this is acceptable from a security standpoint. I
> wish I had known about this bug which the foundation has accepted as a
> feature. To be clear, it is /not/ a random password rather a password
> with which you /can/ take an action
it might be send to you under some circumstances but apart of that you
can do absolutely NOTHING with that as all functions are DISABLED (or I
haven't found a way how):
- list settings: Http 404
- list help: mail address unknown
- subscribe/unsubscribe: only possible through Eclipse website with
completely different login.
> Correct me if I am wrong
If you think anything can be done with the password you should probably
give a hint (maybe with direct mail) what exact function you are
concerned about, I would even not mind sharing one of my mailinglist
passwords with someone who want to show anything "malicious" can
actually done with that... I'm open for experiments!
Am 08.12.25 um 15:48 schrieb Nikhil Nanivadekar via
eclipse.org-architecture-council:
/Explicitly adding Wayne and Mike for awareness./
I am surprised that this is acceptable from a security standpoint. I
wish I had known about this bug which the foundation has accepted as a
feature. To be clear, it is /not/ a random password rather a password
with which you /can/ take an action, even if it is just to subscribe or
unsubscribe from a mailing list. This has reduced my trust to 0 in the
security practices of the foundation.
Correct me if I am wrong, my understanding is that there will be no
effort to do anything about it. If that is the case, I’ll cascade it to
the Amazon representatives to ensure they are aware of it because Amazon
is a member company and it’s my responsibility to surface security
violations.
Thanks,
Nikhil.
On Mon, Dec 8, 2025 at 8:33 AM Eclipse Infrastructure
<infrastructure@xxxxxxxxxxxxxxxxxxxxxx <mailto:infrastructure@eclipse-
foundation.org>> wrote:
As Christoph already pointed out this is a known(22+ years) behavior
in the software that runs our mailing lists.
To be clear the password sent is not your Eclipse.org account
password(Mailman has no access to that), but rather a per-list auto-
generated one that could be used in the past to access some Mailman
features. Most of those features were disabled/blocked years ago
to prevent them from being used as a source of potential abuse.
We have no plans to modify the Mailman codebase to 'correct' this
since you can't really do anything with this password making the
risk very low.
-Matt.
On Sun, Dec 7, 2025 at 10:10 AM Nikhil Nanivadekar
<nikhilnanivadekar@xxxxxxxxx <mailto:nikhilnanivadekar@xxxxxxxxx>>
wrote:
Hi Technology PMC owners, EMO,
I received an email to confirm my subscription to Technology PMC
distribution list. This email is highly insecure because it
contains my password in plain text.
Can you please prioritize fixing the emails sent such that they
don’t contain passwords in plain text?
Honestly, I was a bit shocked and I am worried about the
security and privacy controls to keep our account safe.
Architecture council, EMO,
What is the mechanism to request a verification that such
incidents are handled promptly and systematic fixes are applied?
Thanks,
Nikhil.
_______________________________________________
eclipse.org-architecture-council mailing list
eclipse.org-architecture-council@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/eclipse.org-architecture-council
