#1188 Account email vulnerability - Lighthouse Users

Type	To find
responsible:me	tickets assigned to you
tagged:"@high"	tickets tagged @high
milestone:next	tickets in the upcoming milestone
state:invalid	tickets with the state invalid
created:"last week"	tickets created last week
sort:id	tickets sorted by id (creation time)
Combine keywords for powerful searching.
Use advanced searching »

#1188 open

Account email vulnerability

Reported by Nathaniel Bibler | October 2nd, 2008 @ 07:40 AM

The system appears to currently give the list of all valid email addresses in the account when an email is sent to create a new ticket for a project which is not from a known email address.

For example, if I send an email from badguy@foo.domain to a valid project address, the Professor (email system) replies with:

We received an email from this address that had problems being processed into a new Lighthouse ticket:

Failed for "badguy@foo.domain" to : Invalid token: ["goodaddress1@domain.url", "goodaddress2@domain.url", ...]:

TROUBLESHOOT http://lighthouseapp.com/help/ho...

FILE BUG http://activereload.lighthouseap...

It would then seem to be a trivial task for a spammer to actually spoof a valid address and successfully spam projects, among other devious things. Which is exactly what that feature was in place to avoid.

Comments and changes to this ticket

Nathaniel Bibler October 2nd, 2008 @ 09:12 AM
It could possibly be that the email was 'redirected' through Apple Mail.. looking back at it, the redirected message contains both 'To' and 'Resent-To' headers. The Resent-To appears to be the valid Lighthouse address, and To matches those email addresses sent back to me.

I'll chalk this one up to user error and silly Apple Mail redirection.
rick October 2nd, 2008 @ 02:11 PM
- → Tag changed from “bug email security spam” to “bug email spam”
It's showing the emails because it's looking for the lighthouse address in the To header. It's not listing anything you didn't already have in the email headers. Though, there should be a better way to parse out the lighthouse token. I've been working on this stuff lately and want to upgrade the professor really soon.
Will October 27th, 2008 @ 10:21 AM
- → State changed from “new” to “open”
- → Assigned user changed from “” to “rick”

Please Login or create a free account to add a new comment.

You can update this ticket by sending an email to from your email client. (help)

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

Using Lighthouse to track Lighthouse.

Shared Ticket Bins (Sort)

0Updated Recently ↓↑ drag
14High Priority Tickets ↓↑ drag
11New Tickets ↓↑ drag
25API Issues ↓↑ drag

Lighthouse Users

Account email vulnerability

Comments and changes to this ticket

Nathaniel Bibler October 2nd, 2008 @ 09:12 AM

rick October 2nd, 2008 @ 02:11 PM

Will October 27th, 2008 @ 10:21 AM

Create your profile

Your Ticket Bins (Sort)

Shared Ticket Bins (Sort)

People watching this ticket

Tags

Lighthouse Users

Keyword searching

Account email vulnerability

Comments and changes to this ticket

Nathaniel Bibler October 2nd, 2008 @ 09:12 AM

rick October 2nd, 2008 @ 02:11 PM

Will October 27th, 2008 @ 10:21 AM

Create your profile

Your Ticket Bins (Sort)

Shared Ticket Bins (Sort)

People watching this ticket

Tags