| Summary: | Tools using bugzilla email lists expose un-truncated and un-obfuscated email addresses | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Tobi Reif <tobi> |
| Component: | Tools / Tests | Assignee: | Nobody <webkit-unassigned> |
| Status: | NEW --- | ||
| Severity: | Normal | CC: | ap, lforschler, mitz, simon.fraser, webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | Other | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
|
Description
Tobi Reif
2019-05-08 01:23:21 PDT
Looks like marco.info is following webkit-unassigned (https://marc.info/?l=webkit-unassigned&r=1&w=2) One specific example: The bug page: https://bugs.webkit.org/show_bug.cgi?id=108929 Does not publish my email address. The message at the original location: https://lists.webkit.org/pipermail/webkit-unassigned/2013-March/1364285.html Has my email address, but at least the at-sign is replaced with " at ". Please make sure the email address gets truncated/obfuscated more strongly (on the whole site webkit.org) (ideally for all email addresses). The message copy at marc.info: https://marc.info/?l=webkit-unassigned&m=136360475701428 Contains my email address (you can find it right after "Comment #7 from Tobi Reif") in full, non-obfuscated and non-truncated. It even is featured verbatim in the source of the page - very easy to harvest even for simple spam bots. Since 2018-02-21 I have sent several emails to the maintainers of marc.info. They have not fixed the issue. Please make sure that the list admin of "Webkit-unassigned" will soon send a request to the marc.info maintainers https://marc.info/?q=about asking them to immediately obfuscate or/and truncate all instances of my email address on their site which have been fetched from "Webkit-unassigned" (currently all instances of my email address on marc.info are from "Webkit-unassigned"). (Feel free to expand the request to all email addresses fetched from your list/lists.) ... and if marc.info gets the messages via an API please make sure that the email addresses are strongly truncated/obfuscated in the data supplied by the API. And thanks for looking into it! Please make sure that my email address gets truncated/obfuscated on all these marc.info pages: https://bit.ly/2DU2xGK (they all publish a "Webkit-unassigned" message). Please send a request to the contacts at https://marc.info/?q=about (there also is a contact at the bottom of the page after "send pizza"). (Please make sure to not paste my email address here in this ticket. Thanks.) I hope this issue can get resolved soon. I hope this issue can get resolved soon. I hope this issue can get resolved soon. I hope that this issue will be resolved soon. Thanks in advance! I hope this issue can get resolved soon. I hope this issue can get resolved soon. Please make sure that my email address gets truncated/obfuscated on all these marc.info pages: https://bit.ly/2DU2xGK (they all publish a "Webkit-unassigned" message). Please send a request to the contacts at https://marc.info/?q=about (there also is a contact at the bottom of the page after "send pizza"). It clearly doesn't help that I post here regularly. What could I do instead? The issue needs to get resolved. Has anything been tried? Is there any progress at all? You are passing on my email address, not actively but knowingly, for years, either via the some pages or via an API. And marc.info is publishing it. I had never consented to you passing on my email address. Please stop it. And please make sure that the past and future published copies of my bug reports on marc.info do not contain my email address (they got and are getting my email address through you). You are passing on my email address, not actively but knowingly, for years, either via the some pages or via an API. And marc.info is publishing it. I had never consented to you passing on my email address. Please stop it. And please make sure that the past and future published copies of my bug reports on marc.info do not contain my email address (they got and are getting my email address through you). Is there anything I can do to help? You are passing on my email address, not actively but knowingly, for years, either via the some pages or via an API. And marc.info is publishing it. I had never consented to you passing on my email address. Please stop it. And please make sure that the past and future published copies of my bug reports on marc.info do not contain my email address (they got and are getting my email address through you). There currently still are several pages which publish my email address which they got from WebKit bug reports: https://bit.ly/2DU2xGK (A URL-shortener is used so that I don't have to paste the verbatim URL which includes my email address. The bit.ly URL resolves to a google.com search.) There currently are only three pages left which publish my email address which they got from WebKit bug reports: https://bit.ly/2DU2xGK (A URL-shortener is used so that I don't have to paste the verbatim URL which includes my email address. The bit.ly URL resolves to a google.com search.) I hope that you can ensure that these last three pages will disappear as well (and that my email address won't be shared through WebKit bug reports anymore). I hope that you can ensure that these last three pages will disappear as well. As far as https://bit.ly/2DU2xGK shows, the problem has been resolved. My sincere thanks! Unfortunately, the status went from zero back to several: There currently are two pages listed which publish my email address which they got from WebKit bug reports: https://bit.ly/2DU2xGK (A URL-shortener is used so that I don't have to paste the verbatim URL which includes my email address. The bit.ly URL resolves to a google.com search.) I hope that you can ensure that these two pages will disappear as well (and that my email address won't be shared through WebKit bug reports anymore). There currently is one page listed which publishes my email address which they got from WebKit bug reports: https://bit.ly/2DU2xGK (A URL-shortener is used so that I don't have to paste the verbatim URL which includes my email address. The bit.ly URL resolves to a google.com search.) I hope that you can ensure that this page will disappear as well (and that my email address won't be shared through WebKit bug reports anymore). There currently is one page listed which publishes my email address which they got from WebKit bug reports: https://bit.ly/2DU2xGK (A URL-shortener is used so that I don't have to paste the verbatim URL which includes my email address. The bit.ly URL resolves to a google.com search.) I hope that you can ensure that this page will disappear as well (and that my email address won't be shared through WebKit bug reports anymore). There currently are four pages listed which publish my email address which they got from WebKit bug reports: https://bit.ly/2DU2xGK (A URL-shortener is used so that I don't have to paste the verbatim URL which includes my email address. The bit.ly URL resolves to a google.com search.) I hope that you can ensure that these pages will disappear (and that my email address won't be shared through WebKit bug reports anymore). There currently are four pages listed which publish my email address which they got from WebKit bug reports: https://bit.ly/2DU2xGK (A URL-shortener is used so that I don't have to paste the verbatim URL which includes my email address. The bit.ly URL resolves to a google.com search.) I hope that you can ensure that these pages will disappear (and that my email address won't be shared through WebKit bug reports anymore). There currently is one page listed which publishes my email address which they got from WebKit bug reports: https://bit.ly/2DU2xGK (A URL-shortener is used so that I don't have to paste the verbatim URL which includes my email address. The bit.ly URL resolves to a google.com search.) I hope that you can ensure that this page will disappear (and that my email address won't be shared through WebKit bug reports anymore). |