Sites Leaking Users' Email Addresses

Pisang writes "CNet is running a story about how spammers and phishers can learn about our surfing habits to better target their attacks. According to the article, web sites that use e-mail addresses as IDs are vulnerable to attacks that could leak their users' email addresses. These attacks are performed by requesting a password reminder for an address or trying to register with it."

register with

[I_am_Rambi]

All the more reason to register with root@127.0.0.1

like this one?

[dj245]

list off all students at Maine Maritime Academy [mma.edu] Directly linked from http://www.mma.edu/ [mma.edu] (Academics/Student Schedules on the java menu)

Another problem

[Antony-Kyre]

While we're on the topic of security, here is another bad problem.

When you register for an account at a website, and that account doesn't ever expire, yet your e-mail address is one that expires if you don't check it, this creates a problem, especially if you have site updates.

Hypothetically, someone registers an account at a travel website. Their e-mail address is used, and it doesn't matter if it is used for a username or not. This account at the travel website never expires, even if you never go back to it again. Yet the company will keep sending you updates concerning their business. Well, if you let your e-mail address expire, and someone else registers it later on, they won't have trouble doing a password request which will allow them into your account, which will contain your personal information.

Password reminders

[NetNifty]

Maybe this security issue could be solved by instead of sticking up a message saying "email not found" if the email is entered incorrectly, it could randomly generate the "secret questions".

Another problem with "password reminders" I find is that people put far too obvious answers - for example when I was back at school I managed to gain access to someone's hotmail account because their "secret question" was "what do I do at the weekends?" and he'd been on local TV, newspapers and school newsletter about his football (soccer) refereeing.

Add your pros and cons here

[fishdan]

I'm sure this is going to degenerate into a "are emails good to use for login" battle (we've certainly hashed this out in our office several time), so I thought I'd start the Pros/Cons list here

pros for using email as login:

1. guaranteed unique, though you'd be a fool to not have check.
2. users forget it slightly less
3. you have to send verification/password anyway

cons for using email as login:

1. What if a user has more than one email address?
2. Email addresses make reasonable unique keys, but slow indexes, especially since many are very similar
3. users may use disposable [spamgourmet.com] email addresses and suddenly you cannot contact them

After reading the article, I've just adjusted my registration page (on my work site, not on sportsdot [sportsdot.org], my perl ain't what it should be) to not give the "pick another account name" if a user tries to register and existing email address. Both success and failure now go to the "Your password has been mailed to ." I send either a success or "this account is already in use" message to the email address. I also stuck on a 3 registration attempts per day per email address whether success or failure to prevent me from inadvertantly spamming.

Re:Add your pros and cons here

[fishdan]

ok, I'm adding one more thing -- if an email address does not exist (I get a user does not exist message from the recieving mail server) I'll store that for 24 hours too. Doesn't do much for the "I accept it all" email servers, but it's something.

Registration Validation

[ranson]

Another issue I have is that some very popular sites that require registration (MySpace, Xanga, several banking sites, etc) do not do e-mail address validation. Given that I have a very very very 'easy to use' e-mail address with my company (e.g., firstname@reallybigisp.net), I get about 30 registrations per day from people who just enter it in instead of their own for whatever reason. And then i get all of their account updates, "you have 4 new responses to your profile!", etc. If every site with user registrations would use the "please validate your account by going to this url" system, it would save a lot of people like myself a lot of hassle of having to go in and cancel the accounts. That has required me to do things like calling up a bank on the phone and trying to convince them that I'm not really the guy who filled out the web form with the wrong e-mail address, and the guy who did really doesn't own that e-mail address. After about 20 minutes of arguing I can finally get those taken care of.

Sold anyway

[dark grep]

I just assumed any site I provided my email to for 'free' access to something, sold that email address to some direct marketing agency anyway. Who reads all the fine print of the privacy statements on most sites? Don't they say details will be kept strictly 'for use by the comany and its affiliates'? The affiliate being a direct marketing company of course.

Re:register with

[brain007]

Personally, I've very rarely needed to use that. Only when the site wants a password that's 6-8 chars, with 3 of them being a symbol or something that goes against my normal password convention do I ever need a reminder. But those sites are so rare that I generally just remember those passwords as being something off of my normal scheme.

I think it would be more time and bandwidth efficient to just throw emails to a@blah, aa@blah, etc and see which ones dont bounce back then to go through a login script for each of those, and really get the admin's attention as their cpu jumps from running the same register.cgi over and over from the same few ip addresses. In the end both ways will get you banned by any good admin.

Re:Add your pros and cons here

[OblongPlatypus]

This isn't just about using email addresses as login though - the attacks suggested in the article work on any site that allows you to enter your email address in order to receive a forgotten password. This includes Slashdot [slashdot.org], but they have sensibly added a script prevention measure.

(Their implementation of the image/text challenge is awful, though - most of the time, the text is in all caps, but the response is only accepted in lowercase.

Re:Password reminders

[Fred_A]

Much simpler : ask for your password with a signed message.

When you create your account, give your public key with it. From then on, they know who you are (at least in a digital way). The services public key can likewise be gotten from their site or a keyserver.

This can presumably be thwarted too but it would be much more difficult.

This is really about better CMS design

[mfh]

I am a CMS designer and let me just say: DUH.

Of course if you post a user's email addy, a spammer is going to find it.

Another step that should be taken, to prevent phishing, is to move to a copy/paste method for VALIDATION. Right now user validation is handled with a clickthrough. This leads to users relying on clickthroughs to get things from your website.

My new cms [scottleonard.ca] is currently being forked into two versions:

1. GS 1.9.9 Beta : rapid content management for small business
2. GS Blog 0.9.1: rapid content management for bloggers

One of the main new features I've implemented is to have a validation MD5 that you have to copy/paste when you first log onto the system. It's pretty simple if you register [scottleonard.ca].

But dial it back a bit and examine the whole password reminder systems. I'm doing this code, coincedentally, today. A user who forgets their password, is prompted the next time they log-in. It will be the exact same as the registration code, except, you will have to accept the password change with a code, or optionally reject it.

I just think that CMS designers need to examine the whole process and look at the big picture. If you show an email address, a spammer can find it. If you ask your users to clickthrough, the next time they get an email from a phisher, they are going to click it.

Yes, there is a limited level of intelligence to use the internet, but I think we need to be always looking at better methods of implementing CMS design.

Yay for sneakemail

[PhracturedBlue]

This is why I use sneakemail [sneakemail.com] for every registration I ever enter. Sneakemail is a (free) mail-forwarding service, that will generate an unlimited number of randomized email addresses, and forward them to 1 of 10 of your addresses. Every forwarded mail has a tag (specificed by you) attached to the subject for easy filtering. The 'From' addresses are mapped os that a responses from you gets sent to sneakemail (where it gets re-sent back to the recipient with the 'random' e-mail address (and all header information removed). In other words, sneamemail is a kind of anonimizer proxy for email. I like this service because (a) I never have to give out my real email address, (b) I know which sites are giving away my email address, (c) I can disble, block, or delete an email address that is being used for spam, and (d) it makes it difficult for anyone to associate an email address to me (In the cases where I don't want to give my real name). Admittedly, you can accomplish all of the above if you have your own domain name, and create addresses for every account (except that (d) becomes a bit harder, as it requires fake information in your domain registration). This is superior to throw away email addresses, which only work for (a), and which if you ever need to receive email from them (say because you lost your password, or they use email as login) you need to remember the address somehow. I can always log into sneakemail and see a list of all the addresses I have, neatly categorized.

Solution - your own domain

[Anonymous Coward]

So give out a temp email address on your own domain (example: junk_3937448@yourdomain.com. That way nobody else will ever be able to use it.

Or, give out a meaningful temp email address (example: from.bestbuy@yourdomain.com). That way you know when they are selling you to spammers.

some sites are complete retarded

[spicydragonz]

http://www.bilsystem.com/paypal_export.php [bilsystem.com] This dude puts up the paypal username and addresses.

Re:Got a Wikipedia Account? Vandals Got Your Passw

[ZorbaTHut]

I remember, when I was designing the login system for a website of mine (which has since been taken down), I hashed the user's password along with their username, simply so that I wouldn't be able to tell who had the same password (and thus, neither would anyone else who got my database somehow.)

You just don't give out info about people's passwords. At all. Yeesh.

Re:I love challenge/response!

[mjh]

Greylisting is a very powerful spam reduction technique that works transparently.

Forgot to mention: I use greylisting also. I like it's transparency. However I've found that I have to tweak the wait time. The default time prevents delivery from too many real users. I've settled on 3 mins as a reasonable time.

I don't like heuristic systems (e.g. spamassassin). When they produce a false positive, no one knows. Neither the sender nor the recipient knows that a legit email has been incorrectly identified (see note below). With greylisting and C/R, this doesn't happen. In both cases, the system notifies one or the other party that the email was NOT delivered. That's a good thing.

NOTE: It's certainly possible for someone to know when spamassassin mis-id's a legit email as spam. But it requires one of two things, either the recipient must occasionally scan his/her spam folder looking for false positives, or the sender must be notified that the email wasn't delivered. In the former case, if you're going to scan all of your spam anyway, why have any spam protection at all. In the latter case, this is functionally equivalent to C/R.

$.02