Closed Bug 1285837 Opened 8 years ago Closed 8 years ago

Categories

(www.mozilla.org :: Pages & Content, defect)

Production
defect
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: sbakhour, Unassigned)

Details

Attachments

(1 file)

User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0 Build ID: 20160604131506 Steps to reproduce: 1. Searched Google for some data 2. Found this link: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=7&cad=rja&uact=8&ved=0ahUKEwj9hr_b9-nNAhUEWRoKHXL3AGwQFghDMAY&url=https%3A%2F%2Fwww.mozilla.org%2Fhumans.txt&usg=AFQjCNH459YC61Cf8exAk6hLi4zdc8i_fw Actual results: Opened it and it showed me the https://www.mozilla.org/humans.txt Expected results: It should not have appeared because it contains emails for users under the domain @mozilla.com and they could be subject to mass mailing or attack. Emails must remain hidden.
Component: Untriaged → Pages & Content
Product: Firefox → www.mozilla.org
Version: 47 Branch → Production
+1. There was a small discussion about this a while ago on IRC after noticing similar search results. I think the file serves no real purpose and should be either deleted or just stripped from addresses at least, both for employees and contributors.
Since the Moxzilla employees emails are leaked then an attacker may use a mailer to have a similar address and spam other users who are not aware about the attack.
agibson and pmac: is this something we want to change?
Flags: needinfo?(pmac)
Flags: needinfo?(agibson)
This has come up before, and we had a long discussion about it when it was implemented in bug 933311. It is opt-in and not automated. People can add or remove their names/emails at will. Thanks for the report.
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Flags: needinfo?(pmac)
Flags: needinfo?(agibson)
Resolution: --- → INVALID
I’m sorry to say I disagree on marking this invalid. Some arguments: > "Question: What is the reason for adding the humans.txt file? > Answer: It's a plain text list that has existed for a while. It's mostly a point of pride thing. Official recognition of contribution, but in a "devs would know this" kinda way." I.e. it was a way of saying "Thank you" as well as the only way to identify SVN users at that point in time. Since SVN is history and Thank yous from Mozilla are done in another way, there is no real need to have email addresses listed anywhere for obvious reasons, especially nowadays. Some people may be humble enough to not need Thank yous, especially if that exposes their email addresses. I'm aware of the line in the Committer's agreement about a possible visibility of name and email address, but there's just no need to do this. Spam has dramatically increased since Mozilla started to use Github, sometimes addressed to all users in humans.txt. (!) I know Github lists them elsewhere as well, but humans.txt has proven to be responsible very much, so it's not really about humans.txt on www.mozilla.org itself only. Some people keep adding additional spam filters to minimize it, but there's just no way to avoid the increase except by eliminating the source(s) of the issue. Some contributors may even consider ending their contributions to Mozilla if their emails keep being exposed this easily, or they may try to change their email address (including LDAP renewal and other processes to follow) while being unsure if that would really help as long as this issue remains. > "> Would it be possible for a committer to request and receive removal of their username (email address) from this list? > > The way we're thinking of doing this now is to use :blixa's script to generate the initial list, but to then just commit the humans.txt file to the repo and manually manage it after that. So yes, we could easily remove a contributor from the list if we go this way." To me, there was no real and clear way of opting in, nor to opt-out, besides manually removing one's address by request or a GitHub PR if I see that right. Also, I'm not sure if :blixa's script still works (i.e. for adding/removing emails) after its initial use. What's wrong with just eliminating all email addresses from this file? If it isn't possible for some mysterious reason, please indicate if a personal PR per (own) email address is needed or would work anyway, or whatever else is possible. I would just like to see mine removed, as well as others to have the same option.
Ton, I completely agree with what you are saying and I don't understand why this was not considered as a real bug. I believe that once the attacker finds the emails of the Mozilla or any website staff then this is considered as Directory Traversal Issue. I am not sure if everyone will agree about this but from my point of view as a website tester and security analyst, I believe that any organization or company that is having a very good reputation like Mozilla must have the maximum security applied on their systems. I am not asking for a swag or a reward for reporting this, my aim was only to prevent the spam & phishing issues that is occurring a lot recently. I know some attackers who implemented "Beef" on their servers and they are using hidden XSS scripts tricking users on websites and forwarding them to other phishing links or simply stealing their cookies. Once a hacker knows your email ID, then his attack will become easier on your accounts. Again, this was only my opinion, I have a lot to say but I was seriously disappointed for marking my bug as resolved and invalid. I still believe that there should be a fix to hide or remove emails from the humans.txt file on Mozilla. Regards, Sami Bakhour
Sorry for reopening but I think it would be polite and respectful to both staff members and voluntary contributors to at least answer the questions in comment 5 that may have been and remain unnoticed otherwise. There is no way of opting in or out, and email addresses are no longer required in humans.txt. I think anyone will agree they should be stripped.
Status: RESOLVED → REOPENED
Ever confirmed: true
Resolution: INVALID → ---
(In reply to Ton from comment #7) > There is no way of opting in or out, and email addresses are no longer required in humans.txt The opt-in happened when signing our agreement which we discussed in the referenced bug, and opt out is as simple as a quick bug or issue or PR to remove an address. Anyone in the list can remove themselves or ask to be removed. So far that hasn't happened. Unfortunately email is the only identifier we have for the localization team. Would you rather we only credit people who've submitted to the code repo and not the l10n one? I feel like they all are deserving of recognition. All that said, I see that nothing will satisfy you all but full removal of this file. I'll submit a PR to do just that and we'll go back to relying on github's contributors list and mozilla.org/credis/ for recognition. It's not easy to go seek out, but you can if you wish.
Status: REOPENED → RESOLVED
Closed: 8 years ago8 years ago
Resolution: --- → FIXED
Commits pushed to master at https://github.com/mozilla/bedrock https://github.com/mozilla/bedrock/commit/ffc09da80e576e08a402ed7eff8a5d7d3f0f14bc [bug 1285837] Remove references to humans.txt https://github.com/mozilla/bedrock/commit/5edacab7550b1753d51d7fec316c150c07a1a787 Merge pull request #4331 from alexgibson/bug-1285837-humans-txt [bug 1285837] Remove references to humans.txt
Hello everyone, Since I opened this case, does this mean that my name will be listed under mozilla.org/credits ? Thank you, Sami Bakhour
No. You have to have contributed significantly to a mozilla project. The details are at the bottom of that link.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: