Received the standard subscription notification email from OpenWRT today sent at 5:00 AM. Down towards the bottom was a small tabular section titled “Passwords for myemail@myemailprovider.com.”
Here the tabular list of subscribed notifications, the email address the notification is sent to, AND THE PASSWORD OF THE OpenWRT ACCOUNT!!!
Who does that!?!?!!? DUMB! DUMB DUMB DUMB
What it has to do with OpenWrt?
Sent by OperWRT mailing list Admin. Seemed self-evident to me.
This is default behaviour for mailman 2 and the OpenWrt mailing lists use mailman 2... Since this is a users help users forum, I would ask you to send an email to the admin accounts for the mailing lists to discuss this issue and potentially affect change.
Users need to know that this occurred and that their credentials may also have been compromised.
Never saw the password embedded b4. An oddly peculiar practice whose origins I'm sure are completely logical… from a certain perspective.
Meaning you never subscribed to a mailing list running on mailman2... can happen.
That "certain perspective" is pure legacy. It's fundamentally indefensible nowadays, even Mailman's devs know that. But the attack surface is so small it is practically nonexistent, which is why upgrading the mailing lists is probably not particularly high on anyone's list of priorities.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.
