EPIC FAIL: new user signups result in plain text email with all login details

2009-08-07T15:37:49
ID ATLASSIAN:JRA-18279
Type atlassian
Reporter gfraser@adaptavist.com
Modified 2017-02-17T06:14:43

Description

After signing up to a JIRA instance, I got an email which simply amazed me - it contained:

  • My username
  • My email address
  • My full name
  • My password

It was all there, right before me, in a plain-text unencrypted email sent across a public network. WTF?!

I'm not sure which universe that's considered a good idea in, but the one I live in considers providing all that info in a plain text email an EPIC FAIL.

A sign-up email should, at most, contain a brief 'welcome to our issue tracker' message and a link to the issue tracker home page. AND NOTHING ELSE.

If I forget my username or password, I can go to the site and retrieve them. Emailing me all those details 'just in case I forget' (assuming I keep that email in my inbox) is utterly, utterly insane and deeply wrong on more levels than I can count on a millipedes' legs.

Why on earth would you put the username, email and password in to a plain text email?! Just retarded. Not only does it cater to all the desires of a man-in-the-middle attack, there must also be gazillions of such emails sitting in people's email inboxes, just waiting for hackers to come in and take them.

Please fix this epic fail and provide patches for earlier versions of JIRA.

Once again, in case I didn't get this point across:

h1. EPIC. FAIL.