Hyperkitty, a Django-based application responsible for providing a web interface for the popular open-source mailing list and newsletter management service Mailman, has patched a critical flaw that disclosed personal mailing lists while importing them.
Amir Sarabadani, a software engineer at Wikimedia Deutschland, identified the flaw while upgrading Wikimedia's mailing lists from Mailman 2 to Mailman 3.
“We were upgrading a test mailing list that was private but realized during the upgrade it was public. Once the upgrade was done, the list would become private. Private mailing lists can contain sensitive information, like publicly identifiable information,” Sarabadani stated.
“When importing a private mailing lists archives, these archives are publicly visible for the duration of the import,” reads the security advisory on GitHub. This means a threat actor would be able to access the personal information of the users.
Security researchers marked the flaw in the critical list with a severity score of 7.5. The latest version of Hyperkitty has patched the flaw by obtaining privacy configurations of imported lists from Mailman instead of using default settings. According to the GitHub advisory, upgrades from older versions of Mailman to version three can last more than an hour.
According to Sarabadani the impact of the flaw depends on the mailing list and how large it is.
“Private mailing lists can contain sensitive information, like publicly identifiable information. If you communicated publicly that mailing lists are being upgraded [at] certain dates and times as a maintenance window (which you would usually), an attacker can use the opportunity to extract as much private data as possible, especially since Hyperkitty allows you to download all of the archives in batch.” Sarabadani further added.
“Don’t take security for granted. A new software being deployed in your infra, no matter how mature, can still have rather major security issues.”
The latest research revealed that nearly 41 percent of executives do not execute open-source governance in their organizations, a problematic figure considering that open-source components underpin vast sections of enterprise applications and networks. Security flaw in Hyperkitty caused the partially imported list to be marked as public regardless of its privacy setting in Mailman.