On Tue, Jan 11, 2022 at 1:53 PM Adam Williamson <adamwill@xxxxxxxxxxxxxxxxx> wrote: > > On Tue, 2022-01-11 at 18:15 +0100, Alexander Sosedkin wrote: > > On Tue, Jan 11, 2022 at 6:04 PM Yaakov Selkowitz <yselkowi@xxxxxxxxxx> wrote: > > > > > > On Tue, 2022-01-11 at 11:58 -0500, Christopher wrote: > > > > Hi, > > > > > > > > Today, I received an email from fas@xxxxxxxxxxxxxxxxx with the subject > > > > line "Fedora Account System: please verify your Bugzilla email > > > > address". This email has a unique link to accounts.fedoraproject.org. > > > > > > > > Based on the context, it seems legitimate. However, I noticed that > > > > clicking the link will take you to a sign-in page asking for > > > > credentials to your account. That seems strange to me, because it > > > > already has a unique link that's associated with the verification of a > > > > specific email in a specific FAS account, so asking for credentials > > > > should be completely unnecessary here. Asking for credentials makes > > > > this appear to be a phishing attempt, because that's how a phishing > > > > email would behave (appearance of legitimacy, requesting credentials > > > > when not needed). > > > > > > > > I think the FAS developers should remove the requirement to sign-in > > > > for these verification emails, to reduce the appearance/behavior of > > > > phishing. The email itself says these emails are "To improve > > > > security". If that is a goal, then Fedora systems should avoid > > > > training users to supply credentials when not needed. > > > > > > You want anyone who receives or intercepts those emails to be able to access > > > your account *without* logging in?!? > > > > An entity intercepting and reading your email should already be capable > > of anything besides installing your drivers (https://xkcd.com/1200). > > Is FAS somehow resistant to the "forgot password" button clicking "attack"? > > How? > > A FAS account with 2FA turned on is. Because FAS asks for password and 2FA, 2FA-enabled accounts would still be vulnerable to a phishing attack that was modeled after these legitimate emails, but using a spoofed FAS site. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
