New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[security issue] E-mail address exposed #1010

Closed
M1dgard opened this Issue Jul 20, 2015 · 4 comments

Comments

Projects
None yet
2 participants
@M1dgard

M1dgard commented Jul 20, 2015

It is possible to get the e-mail address of any user by visiting XXX.

The OSM user will be sent a confirmation mail and the page will show their email address.

@tomhughes

This comment has been minimized.

Show comment
Hide comment
@tomhughes

tomhughes Jul 20, 2015

Member

You've heard of responsible disclosure then?

Member

tomhughes commented Jul 20, 2015

You've heard of responsible disclosure then?

@tomhughes

This comment has been minimized.

Show comment
Hide comment
@tomhughes

tomhughes Jul 20, 2015

Member

The site has now been taken offline until this issue can be addressed.

Member

tomhughes commented Jul 20, 2015

The site has now been taken offline until this issue can be addressed.

@M1dgard

This comment has been minimized.

Show comment
Hide comment
@M1dgard

M1dgard Jul 20, 2015

I'm so sorry, I should have left the URL out and waited for someone to contact me.

M1dgard commented Jul 20, 2015

I'm so sorry, I should have left the URL out and waited for someone to contact me.

@tomhughes

This comment has been minimized.

Show comment
Hide comment
@tomhughes

tomhughes Jul 20, 2015

Member

I have applied 9fdea1c temporarily and the site should be back up in a moment.

Member

tomhughes commented Jul 20, 2015

I have applied 9fdea1c temporarily and the site should be back up in a moment.

@tomhughes tomhughes closed this in 629ae62 Jul 20, 2015

sbagroy986 added a commit to sbagroy986/openstreetmap-website that referenced this issue Jul 24, 2015

Require a valid session token to resend a confirmation
Make user#confirm_resend require a valid token in the session
that matches the requested user, and ensure trying to login as
an unconfirmed user sets such a token.

Fixes #1010
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment