launchpad-dev team mailing list archive

Thread
Date

Re: Fwd: [Fwd: Quickly and Launchpad]

To: curtis.hovey@xxxxxxxxxxxxx
From: Robert Collins <robert.collins@xxxxxxxxxxxxx>
Date: Sat, 26 Jun 2010 05:55:43 +1000
Cc: launchpad-dev@xxxxxxxxxxxxxxxxxxx
In-reply-to: <1277480445.1807.7.camel@solstice>
Sender: robertc@xxxxxxxxxxxxxxxxx

So what classes of attack exist here?

Social/trojan:
They might get the user to run code they shouldn't, which then sets up
an SSH/CoC/GPG/changes their email [but we already have a handshake on
email changes], and then with the access the SSH/GPG/PPA gives them do
something bad (like push garbage into a branch).

Mail multiplication? I don't think so, the only person able to trigger
a 'new ssh' email is the user themselves, unless their credentials
have been leaked already.

Mail to other people? Not through this API - the 'setup a new email
address' API would definitely permit that - but not permit controlling
the content in the mail (I hope ? !)

-Rob

References

Fwd: [Fwd: Quickly and Launchpad]
From: Jonathan Lange, 2010-06-24
Re: Fwd: [Fwd: Quickly and Launchpad]
From: Martin Pool, 2010-06-25
Re: Fwd: [Fwd: Quickly and Launchpad]
From: Martin Pool, 2010-06-25
Re: Fwd: [Fwd: Quickly and Launchpad]
From: Didier Roche, 2010-06-25
Re: Fwd: [Fwd: Quickly and Launchpad]
From: William Grant, 2010-06-25
Re: Fwd: [Fwd: Quickly and Launchpad]
From: Didier Roche, 2010-06-25
Re: Fwd: [Fwd: Quickly and Launchpad]
From: William Grant, 2010-06-25
Re: Fwd: [Fwd: Quickly and Launchpad]
From: Robert Collins, 2010-06-25
Re: Fwd: [Fwd: Quickly and Launchpad]
From: Didier Roche, 2010-06-25
Re: Fwd: [Fwd: Quickly and Launchpad]
From: Maris Fogels, 2010-06-25
Re: Fwd: [Fwd: Quickly and Launchpad]
From: Curtis Hovey, 2010-06-25