On Tue, Jan 11, 2022 at 6:04 PM Yaakov Selkowitz <yselkowi@xxxxxxxxxx> wrote: > > On Tue, 2022-01-11 at 11:58 -0500, Christopher wrote: > > Hi, > > > > Today, I received an email from fas@xxxxxxxxxxxxxxxxx with the subject > > line "Fedora Account System: please verify your Bugzilla email > > address". This email has a unique link to accounts.fedoraproject.org. > > > > Based on the context, it seems legitimate. However, I noticed that > > clicking the link will take you to a sign-in page asking for > > credentials to your account. That seems strange to me, because it > > already has a unique link that's associated with the verification of a > > specific email in a specific FAS account, so asking for credentials > > should be completely unnecessary here. Asking for credentials makes > > this appear to be a phishing attempt, because that's how a phishing > > email would behave (appearance of legitimacy, requesting credentials > > when not needed). > > > > I think the FAS developers should remove the requirement to sign-in > > for these verification emails, to reduce the appearance/behavior of > > phishing. The email itself says these emails are "To improve > > security". If that is a goal, then Fedora systems should avoid > > training users to supply credentials when not needed. > > You want anyone who receives or intercepts those emails to be able to access > your account *without* logging in?!? An entity intercepting and reading your email should already be capable of anything besides installing your drivers (https://xkcd.com/1200). Is FAS somehow resistant to the "forgot password" button clicking "attack"? How? _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
