Bitbucket sending out our passwords by e-mail (BB-9953)

Issue #8788 closed
Anders Berglund Dacke
created an issue

One of our developers followed the steps in, I presume, .

In my (=some kind of admin's) mailbox, a notification appeared:

Subject: Fwd: [Bitbucket] Your Git import job for some-repo-name has finished You are receiving this email because you're an administrator of the some-team-name team. The remote Git import you started for https://actualusername:actualpassword@fully.qualified.hostname/some/local/path completed successfully. View repository Team email forwarding can be configured from the groups administration page

I see several things wrong with this:

1) the password is sent to another person 2) the password is sent in clear text from Australia (?) to Sweden (?), intercepted by NSA, GCHQ, FRA and others

Could you perhaps try to filter out passwords from these links that you send out?

Comments (4)

  1. Zachary Davis

    When importing a repository in Bitbucket, you enter the url of repo and then optionally provide authorization details. If used as such, only the url will be included in the email you reference in this issue.

    If the url you enter has sensitive information (such as username/password) then you are correct that we will echo that information in the email. So if used in the intended way, we will not leak any information that we consider to be sensitive. However, I do agree that perhaps we can be more proactive about detecting the situation you describe above and handling it in a smart manner.

  2. Log in to comment