Plaintext password exposed in mailing list monthly reminder

systemdlete · December 3, 2022, 12:48am

I get a monthly reminder from your mailing list, which includes sensitive data, like my password. This is being sent in plaintext, in broad daylight.

If you have questions, problems, comments, etc, send them to [mailman-owner@lists.openwrt.org](mailto:mailman-owner@lists.openwrt.org). Thanks!

So I tried to respond to the message. I got an "undeliverable message" message.

At any rate, aside from whatever is going on with maintenance of the list, I would prefer to NOT have my password exposed that way. Sorry I have not noticed this before.

anomeome · December 3, 2022, 1:00am

hmm, surprising it can even be reversed from a hash in some DB, or is it just stored in plain text.

takimata · December 3, 2022, 8:34am

This is an ancient mailman feature from the dark ages, and it indeed stores the password in plaintext.

I understand the sentiment, and I agree that it isn't particularly elegant. But really what difference does it make If someone has access to your mailbox and, absent a 2FA mechanism, could still reset or request a new password in your name?

Also there's this new trend making the rounds, people using different passwords for each service.

systemdlete · January 4, 2023, 9:06pm

Ah! Use DIFFERENT passwords. Who'da thunk it?

Yeah, I use different passwords for every system, account, and machine I use. And I have been doing so for YEARS. In fact, I don't recall a time when I used the same password twice.

It sounds like you don't care too much about security, and I understand that sentiment. However, I do care. I'd prefer not to give the bad guys one inch, because you know what they say about that.

takimata · January 4, 2023, 9:27pm

I understand that. And again, I agree that it is inelegant. But you are trying to remedy a situation where the attacker already has access to your respective mailbox. In that scenario it doesn't make a lick of difference whether mailman is sending out plaintext passwords or not. The attacker can have your password now or request your password and have it a minute later. Once they have access to your mailbox, they don't just have an inch, they have the full nine yards.

Edit: It looks like you can request to turn off the monthly password reminder for yourself.. A cursory test showed that there is indeed member options pages at https://lists.openwrt.org/mailman/options/<listname> where the password reminder can be turned off.

slh · January 4, 2023, 11:44pm

Look at it from a different side, what can an attacker do with this password - apart from unsubscribing you (or messing a little with timezones or digests vs individual mails). As long as you give it an individual password (which you should either way), your (or that of the mailing list admin) exposure is very limited and noticable; personally I don't even write up the 'one-time-use' passwords for mailing lists, if I need it, I can get a new one - and it happens once or twice in a decade for me to access the webinterface after subscribing in the first place (if at all).