On Tue, 2022-01-11 at 18:15 +0100, Alexander Sosedkin wrote: > On Tue, Jan 11, 2022 at 6:04 PM Yaakov Selkowitz <yselk...@redhat.com> wrote: > > > > On Tue, 2022-01-11 at 11:58 -0500, Christopher wrote: > > > Hi, > > > > > > Today, I received an email from f...@fedoraproject.org with the subject > > > line "Fedora Account System: please verify your Bugzilla email > > > address". This email has a unique link to accounts.fedoraproject.org. > > > > > > Based on the context, it seems legitimate. However, I noticed that > > > clicking the link will take you to a sign-in page asking for > > > credentials to your account. That seems strange to me, because it > > > already has a unique link that's associated with the verification of a > > > specific email in a specific FAS account, so asking for credentials > > > should be completely unnecessary here. Asking for credentials makes > > > this appear to be a phishing attempt, because that's how a phishing > > > email would behave (appearance of legitimacy, requesting credentials > > > when not needed). > > > > > > I think the FAS developers should remove the requirement to sign-in > > > for these verification emails, to reduce the appearance/behavior of > > > phishing. The email itself says these emails are "To improve > > > security". If that is a goal, then Fedora systems should avoid > > > training users to supply credentials when not needed. > > > > You want anyone who receives or intercepts those emails to be able to access > > your account *without* logging in?!? > > An entity intercepting and reading your email should already be capable > of anything besides installing your drivers (https://xkcd.com/1200). > Is FAS somehow resistant to the "forgot password" button clicking "attack"? > How?
A FAS account with 2FA turned on is. -- Adam Williamson Fedora QA IRC: adamw | Twitter: adamw_ha https://www.happyassassin.net _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
