Mattia Verga via devel wrote: > I also imagine the case where a user no more use their email address and > that become available to someone else. The new user may easily reset the > password and gain access to the old Fedora account (provided that the > old user didn't use 2fa). Here's an article about similar concerns regarding NPM: https://therecord.media/thousands-of-npm-accounts-use-email-addresses-with-expired-domains/ An excerpt: | Researchers said they found that 2,818 project maintainers were still | using an email address for their accounts that had an expired domain, | some of which they found on sale on sites like GoDaddy. | | The team argued that attackers could buy these domains, re-register | the maintainer’s address on their own email servers, and then reset | the maintainer’s account password and take over his npm packages. This seems like a risk for Fedora too, unless there are routines in place to prevent it. This particular method of account takeover could be reliably prevented, considering that expiry dates are public and domains are quarantined before they are released for registration by someone else. A program could monitor domains that are due for renewal. If a domain expires, then account recovery by email should be disabled for addresses in that domain. The packager would then be required to authenticate with their existing credentials – or prove their identity in some way that does not rely on ownership of the email address – and set a new email address in their account. Entering the old email address again would be allowed, in case they have recovered the domain, but they would have to prove that they can receive a confirmation message regardless of whether the new address is the same as the old address. Björn Persson
Attachment:
pgptTcbM0xmc5.pgp
Description: OpenPGP digital signatur
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
