Launchpad itself

Hidden primary email addresses can be viewed for most accounts on launchpad.net

Bug #1322388 reported by Jeremie Miserez on 2014-05-22

This bug report is a duplicate of: Bug #1098309: private email account shouldn't be visible on a merge request. Edit Remove

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Launchpad itself	New	Undecided	Unassigned

Bug Description

It is currently possible to get the primary email address of (almost) any user on launchpad.net, even if the user sets his email address to private in his profile.

All that is needed is to visit the account merge page (https://launchpad.net/people/+requestmerge) and try to merge with the account in question. I've done this successfully with the following account (which is my own, I created it specifically for this):

https://launchpad.net/~thisaddressishidden

The email address of <email address hidden> is shown when trying to merge, although it should NOT be visible to anyone. (see screenshot attached)

I was however NOT able to do this with the first (and only) other account I tried:

https://launchpad.net/~sabdfl (Mark Shuttleworth himself)

as a warning regarding private branches pops up, preventing a merge and thus not sending the request.

All that is needed to fix this is show the username instead of the email address when the request is sent.

Revision history for this message

Jeremie Miserez (jmiserez) wrote on 2014-05-22:

Screenshots of the procedure Edit (163.4 KiB, image/png)

summary:

- Hidden email address can be viewed for most accounts on launchpad.net
+ Hidden primary email addresses can be viewed for most accounts on
+ launchpad.net

William Grant (wgrant) on 2014-05-23

information type:

Private Security → Public Security