A security flaw in Hyperkitty could allow unauthorized access to private data transmitted by Mailman, a newsletter management service used by WikiMedia platform, among many other organizations and private users.
Hyperkitty is a web interface for Mailman which is used by millions of people to create and distribute mailing lists. Anyone who uses Hyperkitty is urged to patch it as soon as possible.
The issue was discovered in the Hyperkitty web interface, it could have caused private mailing lists to be exposed while importing them.
Hyperkitty has patched this critical bug that could expose user private information – names and email addresses.
Prior to the patch, the public archive of private mailing lists can be easily accessed by anyone with malicious intent, an advisory on GitHub warned.
“When importing a private mailing list’s archives, these archives are publicly visible for the duration of the import.”
Amir Sarabadani, an engineer at Wikimedia Deutschland, discovered the vulnerability when he was upgrading Wikimedia’s mailing lists to Mailman 3.
“We were upgrading a test mailing list that was private but realized during the upgrade it was public. Once the upgrade was done, the list would become private,” Sarabadani told The Daily Swig.
A misconfiguration in Hyperkitty could mark a partially imported list as public regardless of the privacy setting in MailMan. According to the advisory, an upgrade from version three of Mailman can last for over an hour. This means a malicious actor could have sufficient time to download the exposed information.
“Private mailing lists can contain sensitive information, like publicly identifiable information,” Sarabadani said.
And if the company that used Mailman notified its users that certain mailing lists were being upgraded, an attacker could have used this opportunity to easily extract private data from such lists, he added.
“If you communicated publicly that mailing lists are being upgraded [at] certain dates and times as a maintenance window (which you would usually), an attacker can use the opportunity to extract as much private data as possible, especially since Hyperkitty allows you to download all of the archives in batch.”
The issue was given a severity score of 7.5.
The researcher warned that any cloud infrastructure is not bulletproof and should be considered vulnerable:
“Don’t take security for granted,” Sarabadani said. “A new software being deployed in your infra, no matter how mature, can still have rather major security issues.”
Image: Christoph Wickert
