Sites Leaking Users' Email Addresses 194
Pisang writes "CNet is running a story about
how spammers and phishers can learn about our surfing habits to better target their attacks. According to the article, web sites that use e-mail addresses as IDs are vulnerable to attacks that could leak their users' email addresses. These attacks are performed by requesting a password reminder for an address or trying to register with it."
register with (Score:3, Interesting)
like this one? (Score:3, Interesting)
Another problem (Score:5, Interesting)
When you register for an account at a website, and that account doesn't ever expire, yet your e-mail address is one that expires if you don't check it, this creates a problem, especially if you have site updates.
Hypothetically, someone registers an account at a travel website. Their e-mail address is used, and it doesn't matter if it is used for a username or not. This account at the travel website never expires, even if you never go back to it again. Yet the company will keep sending you updates concerning their business. Well, if you let your e-mail address expire, and someone else registers it later on, they won't have trouble doing a password request which will allow them into your account, which will contain your personal information.
Password reminders (Score:5, Interesting)
Another problem with "password reminders" I find is that people put far too obvious answers - for example when I was back at school I managed to gain access to someone's hotmail account because their "secret question" was "what do I do at the weekends?" and he'd been on local TV, newspapers and school newsletter about his football (soccer) refereeing.
Add your pros and cons here (Score:5, Interesting)
pros for using email as login:
After reading the article, I've just adjusted my registration page (on my work site, not on sportsdot [sportsdot.org], my perl ain't what it should be) to not give the "pick another account name" if a user tries to register and existing email address. Both success and failure now go to the "Your password has been mailed to ." I send either a success or "this account is already in use" message to the email address. I also stuck on a 3 registration attempts per day per email address whether success or failure to prevent me from inadvertantly spamming.
Re:Add your pros and cons here (Score:3, Interesting)
Registration Validation (Score:4, Interesting)
Sold anyway (Score:2, Interesting)
Re:register with (Score:2, Interesting)
I think it would be more time and bandwidth efficient to just throw emails to a@blah, aa@blah, etc and see which ones dont bounce back then to go through a login script for each of those, and really get the admin's attention as their cpu jumps from running the same register.cgi over and over from the same few ip addresses. In the end both ways will get you banned by any good admin.
Re:Add your pros and cons here (Score:3, Interesting)
(Their implementation of the image/text challenge is awful, though - most of the time, the text is in all caps, but the response is only accepted in lowercase.
Re:Password reminders (Score:3, Interesting)
When you create your account, give your public key with it. From then on, they know who you are (at least in a digital way). The services public key can likewise be gotten from their site or a keyserver.
This can presumably be thwarted too but it would be much more difficult.
This is really about better CMS design (Score:2, Interesting)
Of course if you post a user's email addy, a spammer is going to find it.
Another step that should be taken, to prevent phishing, is to move to a copy/paste method for VALIDATION. Right now user validation is handled with a clickthrough. This leads to users relying on clickthroughs to get things from your website.
My new cms [scottleonard.ca] is currently being forked into two versions:
But dial it back a bit and examine the whole password reminder systems. I'm doing this code, coincedentally, today. A user who forgets their password, is prompted the next time they log-in. It will be the exact same as the registration code, except, you will have to accept the password change with a code, or optionally reject it.
I just think that CMS designers need to examine the whole process and look at the big picture. If you show an email address, a spammer can find it. If you ask your users to clickthrough, the next time they get an email from a phisher, they are going to click it.
Yes, there is a limited level of intelligence to use the internet, but I think we need to be always looking at better methods of implementing CMS design.
Yay for sneakemail (Score:5, Interesting)
Solution - your own domain (Score:1, Interesting)
Or, give out a meaningful temp email address (example: from.bestbuy@yourdomain.com). That way you know when they are selling you to spammers.
some sites are complete retarded (Score:2, Interesting)
Re:Got a Wikipedia Account? Vandals Got Your Passw (Score:3, Interesting)
You just don't give out info about people's passwords. At all. Yeesh.
Re:I love challenge/response! (Score:3, Interesting)
I don't like heuristic systems (e.g. spamassassin). When they produce a false positive, no one knows. Neither the sender nor the recipient knows that a legit email has been incorrectly identified (see note below). With greylisting and C/R, this doesn't happen. In both cases, the system notifies one or the other party that the email was NOT delivered. That's a good thing.
NOTE: It's certainly possible for someone to know when spamassassin mis-id's a legit email as spam. But it requires one of two things, either the recipient must occasionally scan his/her spam folder looking for false positives, or the sender must be notified that the email wasn't delivered. In the former case, if you're going to scan all of your spam anyway, why have any spam protection at all. In the latter case, this is functionally equivalent to C/R.
$.02