Emails are displayed and available to spambots and other abuse, potential DOS against developers

RESOLVED DUPLICATE of bug 215439

Status

()

--
critical
RESOLVED DUPLICATE of bug 215439
15 years ago
8 years ago

People

(Reporter: fabian, Assigned: myk)

Tracking

Details

(Reporter)

Description

15 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7) Gecko/20040626 Firefox/0.9.1
Build Identifier: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7) Gecko/20040626 Firefox/0.9.1


PROBLEM: Emails of bug reporters, authors, etc. are exposed and available for
SPAMbots to grab and for other forms of online abuse.

SOLUTION: Upgrade to version 2.18 of Bugzilla when it's released. Contribute
code to Bugzilla so future Mozilla developers and contributors emails have
better protection.

According to the release notes of upcoming 2.18 version of Bugzilla:
http://www.bugzilla.org/releases/2.18/release-notes.html

Email Address Munging
---------------------

The fact that raw email addresses are displayed in Bugzilla makes it trivial
for bots that spamharvest to spider through Bugzilla, in particular, through
Bugzilla's buglists. This change adds HTML obfuscation of email addresses as
they appear in the Bugzilla web pages.

Reproducible: Always
Steps to Reproduce:
1. Visit any bug report at bugzilla.mozilla.org
2. Grab bug reporter's, commenters, etc. email addresses
Actual Results:  
Email addresses are available in plain text for anyone to copy / grab / abuse.

Expected Results:  
An email should only be sent via an online form by default for authenticated
users, if at all permitted. Sourceforge's methods could also provide inspiration
for this. If custom code is created for this, perhaps it could/should be
contributed to Bugzilla.

This could be used to provoke a major DOS attack by mass mailing every (or
selected) Mozilla developer and blocking their email accounts, potentially
delaying or stopping upcoming releases.
(In reply to comment #0)
> SOLUTION: Upgrade to version 2.18 of Bugzilla when it's released. Contribute
> code to Bugzilla so future Mozilla developers and contributors emails have
> better protection.
> 
> According to the release notes of upcoming 2.18 version of Bugzilla:
> http://www.bugzilla.org/releases/2.18/release-notes.html
> 
> Email Address Munging

bugzilla.mozilla.org is already running this code.  It was introduced in 2.17.6.

The HTML of the email addresses are obfuscated, and don't look like emails in
the page source.  This trick worked for a while, but the spammers are starting
to get wise to it.  There are other tricks in the works to stave them off for a
while.  Bug 215439 is the closest to what you're proposing here.

*** This bug has been marked as a duplicate of 215439 ***
Group: security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 15 years ago
Resolution: --- → DUPLICATE
Component: Bugzilla: Other b.m.o Issues → General
Product: mozilla.org → bugzilla.mozilla.org
You need to log in before you can comment on or make changes to this bug.