INFRA-154 Conference site admins can edit all civicrm.org users
If you're an admin on one of the standardized conference sites, your edits affect the users table, which is shared among all xxx.civicrm.org conference sites along with civicrm.org itself. That means you can go to yourconference.civicrm.org/user/1/edit and set the email address, password, or blocked/active status, and that'll take effect everywhere.
Jane and I tested this out: I went to the old User Summit site and changed her email address. This changed it on civicrm.org. I needed no password or anything else of hers.
I don't have a good immediate resolution for this, because if nothing else, London people will need to be updating their site with presentations, videos, etc., and Fort Collins people will presumably be at work on their new site soon. I just wanted to make sure folks were aware of this vulnerability.
We trust conference organizers with a lot of things, so it's obvious why this hasn't actually been a problem in the past: if we organizers were to cause mayhem on civicrm.org, we could do so in other ways. However, it does increase the points of failure: if one of several dozen people have their email accounts hacked or passwords cracked, an intruder could log into the conference site and use this method to gain access as a privileged user on civicrm.org.
Original author: andrewhunt