Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sites Leaking Users' Email Addresses

Posted by Zonk on from the put-some-tape-on-that dept.

Pisang writes "CNet is running a story about how spammers and phishers can learn about our surfing habits to better target their attacks. According to the article, web sites that use e-mail addresses as IDs are vulnerable to attacks that could leak their users' email addresses. These attacks are performed by requesting a password reminder for an address or trying to register with it."

9 of 194 comments (clear)

  1. Re:register with by moranar · · Score: 2, Insightful

    So that when you do lose the password, you cannot get a new one. That sounds practical!

    --
    "I think it would be a good idea!"
    Gandhi, about Internet Security
  2. Re:register with by NetNifty · · Score: 2, Insightful

    Probably won't work on a lot of sites though, as quite a few require you to confirm that you own the email account by clicking a URL within the email they send you, or entering a code from it on their site.

    --
    Linux Wireless Hardware in the UK
  3. Re:Password reminders by Antony-Kyre · · Score: 2, Insightful

    Easy secret questions for password reminders, or even moderately difficult secret questions, creates problems.

    Like "What is my favorite movie?" then the person lists her favorite movie in her profile.

    What they need to do is require four secret questions, all needing to be answered correctly to go on.

    A good reminder is not to have a secret question that a background search or a Google search will turn up.

  4. Re:Another problem by idonthack · · Score: 3, Insightful

    Well, if you let your e-mail address expire, and someone else registers it later on, they won't have trouble doing a password request which will allow them into your account, which will contain your personal information.

    This is the reason that most ISPs and web mail providers don't allow anybody to register an email that's been registered at any time in the past.

    --
    Why is it that when you believe something it's an opinion, but when I believe something it's a manifesto?
  5. Re:Another problem by fishdan · · Score: 2, Insightful
    I assume you're talking about Hotmail, who I know has a pretty rigorous expiration policy. Are you telling me that when they expire an account, they then recycle the name???

    I can't believe that's true, even of MSFT -- email addresses should NEVER be reused. Even at my old company where we used "bad" email addresses like "dan@mycompany.com," even if dan left, we'd never reissue that email address, even if it was the new CEO. you just can't do that!

    I would however be somewhat concerned about expiring DOMAINS. For example, if I let the mycompany.com domain slip/expire, then someone definitely could set that up, and get ALL the email sent to anyone at mydomain.com. But that's a different problem I think.

    --
    Nothing great was ever achieved without enthusiasm
  6. Re:Add your pros and cons here by argent · · Score: 3, Insightful

    cons for using email as login

    Here's another one, and it ties into the original posting: it's the same problem as using biometrics for identification: using an ID or password that's hard to change. You don't want to use that kind of ID casually, because you want to make sure that people who have your ID have an incentive to be at least as careful with it as you would be.

    If you use your thumbprint to pay for a drink at a bar, how good a job do you think the bar is going to do about making sure someone else doesn't game their sensor with a bit of latex on their fingertip? If someone steals your credit card, you can cancel it and get a new credit card. If someone steals your thumbprint you're hosed.

    This is the same kind of thing. If someone finds out that there's someone with the handle "fishdan" on slashdot, they don't have anything useful. If they have your email address, they have something useful that's hard to change (look at me, I'm using year-tagged email addresses and I'm thinking of going to month tags). Plus, if you DO change your email address you have to change it EVERYWHERE (which is why I've got spam filters that reject entire countries for my main email address... because I've had it for about as long as personal domains have been available and I'm really loath to dump it).

    And because of all this, what this means is that all email addresses have to be treated as disposable, even the supposedly private ones you use for account registration only. Which means that now your email address has the same problem as any other name: you have to remember a bunch of them, you have to remember where you used them, and if you only keep 'em long enough for the verification you can't relogin with the old address.

  7. Don't PATCH it, FIX it. by argent · · Score: 4, Insightful

    Maybe this security issue could be solved by instead of sticking up a message saying "email not found" if the email is entered incorrectly, it could randomly generate the "secret questions".

    I've got a better idea. Don't require the user to give you their email address EXCEPT for initial registration. Don't use their email address as their ID. Don't ask for email address for password reset*. Just take the user ID, send the message, and have done with it.

    This is a case where there's really no good and easy way to fix the security problem except by backing up and not doing the thing that causes the problem. This is like someone's saying "I want to leave my front door open while I'm not at home, so my cat can get in and out." and then coming up with "Well, you can set up a webcam to close the door when something bigger than a car comes up" instead of "Don't DO that, use a cat-flap".

    ----
    * Why sites do that, I don't know... there's no extra security from having a login name AND and email address typed in by the user, since the verification mail won't go to anyone but the real user... all it does for me is make me generate a new account 'cos I don't know what email address I used to sign up with because of exactly this kind of problem.

  8. Re:Got a Wikipedia Account? Vandals Got Your Passw by JNighthawk · · Score: 1, Insightful

    It's utterly fucking ridiculous that this was modded down on SLASHDOT of all fucking places. The people here on Slashdot claim that security is of the utmost importance, and what happened here is sickening. I cannot believe that someone can actually SUPPORT what is, basically, the publishing of passwords to a group of individiuals. If you are in a group there, you know everyone else's passwords. So what happens to the innocents that have/are/will be caught up in this?

    It disgusts me that this is modded down and that page is still up. You, parent Anonymous "Coward," are now dubbed an Anonymous Hero.

    --
    Wheel in the sky keeps on turnin'.
  9. Re: Vandals Got Your Password --- DUH by NemosomeN · · Score: 2, Insightful

    Yes, the biggest issue is here: 1. People who use dictionary words as passwords are likely to use that password for everything/nearly so. 2. These people may have their email posted in their profile. 3. This email account may have email from their banks, etc. 4. The banks, etc. likely have this same shared password (People are more likely to use different banking passwords, but how about other accounts that still have purchasing ability?). This gives the suspected trolls (Who likely care less about, and have less damaging data on their accounts, likely using throw-away email accounts anyway, therefore not caring about strong passwords.) access to passwords of other people with more at stake to lose. I bet one of those lists is a list of everyone with the password "password". (Though that is more likely to be a "It's just Wikipedia, I don't care" password, therefore less damaging).

    --
    I hate grammar Nazi's.