Sites Leaking Users' Email Addresses

Pisang writes "CNet is running a story about how spammers and phishers can learn about our surfing habits to better target their attacks. According to the article, web sites that use e-mail addresses as IDs are vulnerable to attacks that could leak their users' email addresses. These attacks are performed by requesting a password reminder for an address or trying to register with it."

Another problem

[Antony-Kyre]

While we're on the topic of security, here is another bad problem.

When you register for an account at a website, and that account doesn't ever expire, yet your e-mail address is one that expires if you don't check it, this creates a problem, especially if you have site updates.

Hypothetically, someone registers an account at a travel website. Their e-mail address is used, and it doesn't matter if it is used for a username or not. This account at the travel website never expires, even if you never go back to it again. Yet the company will keep sending you updates concerning their business. Well, if you let your e-mail address expire, and someone else registers it later on, they won't have trouble doing a password request which will allow them into your account, which will contain your personal information.

Password reminders

[NetNifty]

Maybe this security issue could be solved by instead of sticking up a message saying "email not found" if the email is entered incorrectly, it could randomly generate the "secret questions".

Another problem with "password reminders" I find is that people put far too obvious answers - for example when I was back at school I managed to gain access to someone's hotmail account because their "secret question" was "what do I do at the weekends?" and he'd been on local TV, newspapers and school newsletter about his football (soccer) refereeing.

Add your pros and cons here

[fishdan]

I'm sure this is going to degenerate into a "are emails good to use for login" battle (we've certainly hashed this out in our office several time), so I thought I'd start the Pros/Cons list here

pros for using email as login:

1. guaranteed unique, though you'd be a fool to not have check.
2. users forget it slightly less
3. you have to send verification/password anyway

cons for using email as login:

1. What if a user has more than one email address?
2. Email addresses make reasonable unique keys, but slow indexes, especially since many are very similar
3. users may use disposable email addresses and suddenly you cannot contact them

After reading the article, I've just adjusted my registration page (on my work site, not on sportsdot, my perl ain't what it should be) to not give the "pick another account name" if a user tries to register and existing email address. Both success and failure now go to the "Your password has been mailed to ." I send either a success or "this account is already in use" message to the email address. I also stuck on a 3 registration attempts per day per email address whether success or failure to prevent me from inadvertantly spamming.

Registration Validation

[ranson]

Another issue I have is that some very popular sites that require registration (MySpace, Xanga, several banking sites, etc) do not do e-mail address validation. Given that I have a very very very 'easy to use' e-mail address with my company (e.g., firstname@reallybigisp.net), I get about 30 registrations per day from people who just enter it in instead of their own for whatever reason. And then i get all of their account updates, "you have 4 new responses to your profile!", etc. If every site with user registrations would use the "please validate your account by going to this url" system, it would save a lot of people like myself a lot of hassle of having to go in and cancel the accounts. That has required me to do things like calling up a bank on the phone and trying to convince them that I'm not really the guy who filled out the web form with the wrong e-mail address, and the guy who did really doesn't own that e-mail address. After about 20 minutes of arguing I can finally get those taken care of.

Yay for sneakemail

[PhracturedBlue]

This is why I use sneakemail for every registration I ever enter. Sneakemail is a (free) mail-forwarding service, that will generate an unlimited number of randomized email addresses, and forward them to 1 of 10 of your addresses. Every forwarded mail has a tag (specificed by you) attached to the subject for easy filtering. The 'From' addresses are mapped os that a responses from you gets sent to sneakemail (where it gets re-sent back to the recipient with the 'random' e-mail address (and all header information removed). In other words, sneamemail is a kind of anonimizer proxy for email. I like this service because (a) I never have to give out my real email address, (b) I know which sites are giving away my email address, (c) I can disble, block, or delete an email address that is being used for spam, and (d) it makes it difficult for anyone to associate an email address to me (In the cases where I don't want to give my real name). Admittedly, you can accomplish all of the above if you have your own domain name, and create addresses for every account (except that (d) becomes a bit harder, as it requires fake information in your domain registration). This is superior to throw away email addresses, which only work for (a), and which if you ever need to receive email from them (say because you lost your password, or they use email as login) you need to remember the address somehow. I can always log into sneakemail and see a list of all the addresses I have, neatly categorized.