Let's Encrypt Email Address Disclosures
Let's Encrypt Email Address Disclosures
Let's Encrypt has a preliminary
report about an email address disclosure. "On June 11 2016
(UTC), we started sending an email to all active subscribers who provided
an email address, informing them of an update to our subscriber
agreement. This was done via an automated system which contained a bug that
mistakenly prepended between 0 and 7,618 other email addresses to the body
of the email. The result was that recipients could see the email addresses
of other recipients. The problem was noticed and the system was stopped
after 7,618 out of approximately 383,000 emails (1.9%) were sent. Each
email mistakenly contained the email addresses from the emails sent prior
to it, so earlier emails contained fewer addresses than later ones.
"
A postmortem is underway. (Thanks to Paul Wise)
Update: postmortem results have been added to the incident report. "A small piece of software had been written to handle one-off mass emailing to our subscribers. It was being used for the first time when this incident occurred.
The software went through code review and testing as it was being
developed, but testing was insufficient. It did not catch a bug which
prepended the email addresses of prior recipients to the body of emails. Insufficient testing is considered to be the root cause of this incident.
"