On Tue, 2022-01-11 at 11:58 -0500, Christopher wrote: > Hi, > > Today, I received an email from fas@xxxxxxxxxxxxxxxxx with the subject > line "Fedora Account System: please verify your Bugzilla email > address". This email has a unique link to accounts.fedoraproject.org. > > Based on the context, it seems legitimate. However, I noticed that > clicking the link will take you to a sign-in page asking for > credentials to your account. That seems strange to me, because it > already has a unique link that's associated with the verification of a > specific email in a specific FAS account, so asking for credentials > should be completely unnecessary here. Asking for credentials makes > this appear to be a phishing attempt, because that's how a phishing > email would behave (appearance of legitimacy, requesting credentials > when not needed). > > I think the FAS developers should remove the requirement to sign-in > for these verification emails, to reduce the appearance/behavior of > phishing. The email itself says these emails are "To improve > security". If that is a goal, then Fedora systems should avoid > training users to supply credentials when not needed. You want anyone who receives or intercepts those emails to be able to access your account *without* logging in?!? -- Yaakov Selkowitz Senior Software Engineer - Platform Enablement Red Hat, Inc. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
