That was my initial reaction, too. In a closed system, it makes sense -- for the public notebook, it doesn't immediately seem like such a bad thing, but it lends to a scary attack.
Robert makes an account on the public notebook. Robert sees William's account on the failure page, so creates an account -- then from the notebook, Robert launches a zero-latency brute-force attack to discover William's password. Now, Robert logs into William's account. From there, he inserts malicious javascript into William's most-recently edited worksheet. Next time William opens his favorite worksheet, Robert pwns his machine, logs in, and edits the grade chart for William's Math 581 class, scoring himself a well-deserved 4.1... On Thu, 20 Dec 2007, Robert Miller wrote: > > As pointed out by Michael Abshoff, it seems like an information leak > to list all the usernames on a notebook when you fail to use a valid > one to log in. Thoughts? > > > --~--~---------~--~----~------------~-------~--~----~ To post to this group, send email to sage-devel@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/sage-devel URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/ -~----------~----~----~----~------~----~------~--~---
