Slack notifications
24 views
Skip to first unread message
Avi Drissman
Jan 16, 2020, 3:01:16 PM1/16/20
to content-team
Hi, content team!
Someone just did some Slack joining apparently. Is this any of us, or did someone spammily join it to Slack?
Avi Drissman
Jan 16, 2020, 3:02:09 PM1/16/20
to content-team
Also, this enabled 2FA, so this actually kinda has me weirded out that someone is logged into Slack with a @chromium via this mailing list.
mila...@gmail.com
Jan 16, 2020, 3:13:27 PM1/16/20
to content-team, a...@google.com
This is a vulnerability that I've reported to Google a while ago and they didn't bother fixing it, because it's not a technical bug. Well yeah, it's a logic flaw but that doesn't make it any less severe.
If you don't like the idea of your conversations being public to the entire Internet, please reach out to Google's Security team and ask them to take my reports a bit more seriously:
https://issuetracker.google.com/issues/146330141
https://issuetracker.google.com/issues/146275353
https://issuetracker.google.com/issues/146330141
https://issuetracker.google.com/issues/146275353
I went back, trying to look for something to escalate the issue and get Google to do something. It's not just Chromium that's affected, but any other org with a public mailing list.
Alternatively you can disable "Anyone can post." on all your public mailing lists, but I assume that's just not a feasible solution.
Avi, you are right. Anyone with an Internet connection can join your Slack workspaces through public Google Groups mailing lists, like this one.
mila...@gmail.com
Jan 16, 2020, 3:21:03 PM1/16/20
to content-team, a...@google.com
Please note that apparently this is a valid use-case of Google Groups and an intended behaviour. I haven't done anything wrong.
Google closed both of my tickets as Won't Fix (Intended behavior). So don't expect a fix any time soon. :)
Also, I was told that Google "have shared my report with the Chromium team for your review", so this shouldn't be a surprise to you.
On Thursday, 16 January 2020 21:01:16 UTC+1, Avi Drissman wrote:
mila...@gmail.com
Jan 16, 2020, 3:49:13 PM1/16/20
to content-team, a...@google.com
Good job on deactivating an account. Just keep in mind that you haven't solved the problem with this.
On Thursday, 16 January 2020 21:01:16 UTC+1, Avi Drissman wrote:
mila...@gmail.com
Jan 16, 2020, 3:50:34 PM1/16/20
to content-team, a...@google.com
And as I've said in there: infinite amount of new accounts can be created with the same email address (mailing list):
conten...@chromium.org and content-...@chromium.org are the same account on Google's side, but treated as different in Slack or other services.
conten...@chromium.org and content-...@chromium.org are the same account on Google's side, but treated as different in Slack or other services.
On Thursday, 16 January 2020 21:01:16 UTC+1, Avi Drissman wrote:
Reply all
Reply to author
Forward
0 new messages