On Tue, Jan 11, 2022 at 11:58:36AM -0500, Christopher wrote: > Hi, > > Today, I received an email from fas@xxxxxxxxxxxxxxxxx with the subject > line "Fedora Account System: please verify your Bugzilla email > address". This email has a unique link to accounts.fedoraproject.org. > > Based on the context, it seems legitimate. However, I noticed that > clicking the link will take you to a sign-in page asking for > credentials to your account. That seems strange to me, because it > already has a unique link that's associated with the verification of a > specific email in a specific FAS account, so asking for credentials > should be completely unnecessary here. Asking for credentials makes > this appear to be a phishing attempt, because that's how a phishing > email would behave (appearance of legitimacy, requesting credentials > when not needed). > > I think the FAS developers should remove the requirement to sign-in > for these verification emails, to reduce the appearance/behavior of > phishing. The email itself says these emails are "To improve > security". If that is a goal, then Fedora systems should avoid > training users to supply credentials when not needed. This was a one off thing, which I suggested we do to be nice and avoid problems for people, but perhaps it was misguided and we shouldn't have done it. We moved to a new account system last year, and it has a 'bugzilla' field. Unfortunately, we didn't have cycles to start actually using that field at the time we switched. Shortly after we started looking into using it, but we realized that there was no validation for it. This wouldn't be acceptable, so we implemented a verification setup on it that was much like the one for the primary email address. However, 161 people had entered email addresses that were not their primary ones. We were going to just clear them all out and announce that folks with these should reenter and validate them, but I suggested we could simply trigger a validation cycle on them. That would likely have more folks see the email and validate it, where they might miss a announcement. Anyhow, this was a one time script thing, it won't run again. kevin
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
