A spam technique has been discovered that consisted in creating an account with a malicious URL in the username and the email of the intended victim, so that the victim would receive a verification email with the malicious URL inside it. It was most often combined with control characters to make the malicious URL even more visible.
Thanks to Devin McGovern from the Cyber Security Operations Department at Hyatt who responsibly disclosed this issue to the team.
To deal with the issue:
- Creating new such accounts has been blocked; See MBS-12827.
- Existing such accounts, around 40,000, have been removed (since new verification emails could still be requested); See MBBE-68.
It doesn’t affect mirrors so there is no update for MusicBrainz Docker.
The git tag is v-2023-01-10-hotfixes.
Side notes
- In the advent of ListenBrainz’s Year In Music 2022, a “Play on ListenBrainz” button has been added to MusicBrainz pages related to recordings; See MBS-12205. Even though BrainzPlayer still has some limits, it most often works as expected, especially if you have linked a Spotify Premium account to ListenBrainz. Bugfixes and improvements are already in progress for this tool in both MusicBrainz and ListenBrainz.
- Thanks to everyone who is testing the new relationship editor in our beta server! We have made a lot of changes based on your feedback and we feel it’s a lot better by now, but there’s still time for all our editors to try the beta and help us improve it. This is the biggest change in quite a while so we want to make sure it only comes out when it’s really ready – as such, we’re not setting a specific date yet for its release in the main server.