The InfoSec Blog
1Nov/06

First of the Month Regular Security Violations

I am on many mailing lists. They are an aspect of modern life. For some people its the 'synchonous mode' of IM, for others its the 'asynchonous mode' of E-Mail.

Most of the lists I'm on are managed though YahooGroups, but a few are managed from 'private sites' using MailMan.
The real problem with MailMan is that on the first of the month every MailMan managed list I subscribe to sends me a message that ...

... includes your subscription info and how to use it to change it or unsubscribe from a list.
You can visit the URLs to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

All well and good.
But then it also sends my password - IN CLEAR TEXT!

I have two issues with this.
The first is the obvious - sending my password in clear text.
For many users this will go to a mailbox on a shared hosting service until it is read or downloaded. I'm pretty aggressive about using fetchmail (look at those security features!) to download from such mailboxes I have, or use an immediate forwarding option if the ISP offers that. Most users will not be so enlightened.
The second issue is going to be obvious to the group as well - that MailMan stores the passwords in a form where the cleartext is available. Contrast this with others where at registration the password is irreversibly encrypted and the cleartext discarded. If you forget the password they don't even generate and mail you a new one, they mail you a message to confirm you asked for a new one, and if you you give an OK to that (i.e. it wasn't someone spoofing the request) they point you to a web address, one that is only going to be valid for a short time. You go there and you get redirected to another page where you can enter a new password.

This isn't difficult to implement. What seems to be difficult is the mental shift involved in getting rid of storing clear-text passwords. But then we have see that in so many other areas of business and commerce, haven't we?

I'm aware that MailMan has an option to not send the cleartext password.
What amazes me is that EVERY MailMan list I'm on that option is not selected.

Whatever other features MailMan has, this, to my mind, justifies not using MailMan.

Posted by Anton Aylward

Comments (2) Trackbacks (0)
  1. That annoys me, too. For additional irony, I would note that OWASP uses MailMan for their various community mailing lists.

  2. That’s the Open Web Application Security Project – their mail page/wiki is at http://www.owasp.org/index.php/Main_Page


Trackbacks are disabled.