Slashdot Mirror
Sites Leaking Users' Email Addresses
Pisang writes "CNet is running a story about
how spammers and phishers can learn about our surfing habits to better target their attacks. According to the article, web sites that use e-mail addresses as IDs are vulnerable to attacks that could leak their users' email addresses. These attacks are performed by requesting a password reminder for an address or trying to register with it."
All the more reason to register with root@127.0.0.1
All the more reason to have a disposeable hotmail account. Only some few personal friends have my "real" email. I've been doing this for years, and never get any spam.
list off all students at Maine Maritime Academy Directly linked from http://www.mma.edu/ (Academics/Student Schedules on the java menu)
Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
While we're on the topic of security, here is another bad problem.
When you register for an account at a website, and that account doesn't ever expire, yet your e-mail address is one that expires if you don't check it, this creates a problem, especially if you have site updates.
Hypothetically, someone registers an account at a travel website. Their e-mail address is used, and it doesn't matter if it is used for a username or not. This account at the travel website never expires, even if you never go back to it again. Yet the company will keep sending you updates concerning their business. Well, if you let your e-mail address expire, and someone else registers it later on, they won't have trouble doing a password request which will allow them into your account, which will contain your personal information.
Maybe this security issue could be solved by instead of sticking up a message saying "email not found" if the email is entered incorrectly, it could randomly generate the "secret questions".
Another problem with "password reminders" I find is that people put far too obvious answers - for example when I was back at school I managed to gain access to someone's hotmail account because their "secret question" was "what do I do at the weekends?" and he'd been on local TV, newspapers and school newsletter about his football (soccer) refereeing.
Linux Wireless Hardware in the UK
pros for using email as login:
- guaranteed unique, though you'd be a fool to not have check.
- users forget it slightly less
- you have to send verification/password anyway
cons for using email as login:After reading the article, I've just adjusted my registration page (on my work site, not on sportsdot, my perl ain't what it should be) to not give the "pick another account name" if a user tries to register and existing email address. Both success and failure now go to the "Your password has been mailed to ." I send either a success or "this account is already in use" message to the email address. I also stuck on a 3 registration attempts per day per email address whether success or failure to prevent me from inadvertantly spamming.
Nothing great was ever achieved without enthusiasm
Have you ever allowed your email address to expire, and, if so, did someone else claim your email address and then go to websites asking them to send your passwords to that old email address?
If so, the law offices of James Sokolove would like to help. Please contact us at http://www.jimsokolove.com/contact/.
Note that if you cannot remember your account password at jimsokolove.com, then the law offices of James Sokolove will be happy to send a password reminder to your registered email address.
Thank you, and have a good day.
Another issue I have is that some very popular sites that require registration (MySpace, Xanga, several banking sites, etc) do not do e-mail address validation. Given that I have a very very very 'easy to use' e-mail address with my company (e.g., firstname@reallybigisp.net), I get about 30 registrations per day from people who just enter it in instead of their own for whatever reason. And then i get all of their account updates, "you have 4 new responses to your profile!", etc. If every site with user registrations would use the "please validate your account by going to this url" system, it would save a lot of people like myself a lot of hassle of having to go in and cancel the accounts. That has required me to do things like calling up a bank on the phone and trying to convince them that I'm not really the guy who filled out the web form with the wrong e-mail address, and the guy who did really doesn't own that e-mail address. After about 20 minutes of arguing I can finally get those taken care of.
I believe you miswrote spammers. The word you are looking for is shark and/or dolphin. People get spammers, sharks and dolphins mixed up all the time. You can tell them apart from the dorsal fin.
I know that this is going to start a religious flame war. And I apologize in advance. But since I started using challenge/response (specifically TMDA) I just don't care. I give anyone my email whenever they want. I register on websites with an address that expires. So it works for long enough for them to send whatever it is that I need from them and then stops working after that.
/.
Do I still get spam? Yes. The 419 scammers can get through. I see one of them once every 6 months or so. I just blacklist them. 2 spams a year is much easier to deal with than 12000. Do I see automated spam? Nope. Haven't seen one of those in my mailbox since 2001.
IMHO, C/R is the best tool that I've seen to allow me to not worry about giving out my email address to others. I wish there was a way in which we could create a small experiment on the internet in which everyone used C/R, and see what happened to spam. My prediction: it would disappear. And when that happened, no one would be afraid to give out their email address. No one would be worried about companies leaking their email addresses. This story would not be interesting enough to make the front page of
(FWIW, I fully understand the argument that says that C/R is bad. I do not agree with it's accuracy nor it's validity. I'm happy to argue about the merits of C/R, but recognize that a lot of these arguments have been addressed by TMDA and other well behaved C/R.)
Key to financial independence: Spend less than you earn. Save and invest the difference. Do it for a long time.
I just assumed any site I provided my email to for 'free' access to something, sold that email address to some direct marketing agency anyway. Who reads all the fine print of the privacy statements on most sites? Don't they say details will be kept strictly 'for use by the comany and its affiliates'? The affiliate being a direct marketing company of course.
Maybe this security issue could be solved by instead of sticking up a message saying "email not found" if the email is entered incorrectly, it could randomly generate the "secret questions".
I've got a better idea. Don't require the user to give you their email address EXCEPT for initial registration. Don't use their email address as their ID. Don't ask for email address for password reset*. Just take the user ID, send the message, and have done with it.
This is a case where there's really no good and easy way to fix the security problem except by backing up and not doing the thing that causes the problem. This is like someone's saying "I want to leave my front door open while I'm not at home, so my cat can get in and out." and then coming up with "Well, you can set up a webcam to close the door when something bigger than a car comes up" instead of "Don't DO that, use a cat-flap".
----
* Why sites do that, I don't know... there's no extra security from having a login name AND and email address typed in by the user, since the verification mail won't go to anyone but the real user... all it does for me is make me generate a new account 'cos I don't know what email address I used to sign up with because of exactly this kind of problem.
What they need to do is require four secret questions, all needing to be answered correctly to go on.
As soon as they get the FIRST question they have the information they need, that this is a valid email address.
If you don't put the email address in in the first place, then you don't need any secret questions at all.
Of course if you post a user's email addy, a spammer is going to find it.
Another step that should be taken, to prevent phishing, is to move to a copy/paste method for VALIDATION. Right now user validation is handled with a clickthrough. This leads to users relying on clickthroughs to get things from your website.
My new cms is currently being forked into two versions:
- GS 1.9.9 Beta : rapid content management for small business
- GS Blog 0.9.1: rapid content management for bloggers
One of the main new features I've implemented is to have a validation MD5 that you have to copy/paste when you first log onto the system. It's pretty simple if you register.But dial it back a bit and examine the whole password reminder systems. I'm doing this code, coincedentally, today. A user who forgets their password, is prompted the next time they log-in. It will be the exact same as the registration code, except, you will have to accept the password change with a code, or optionally reject it.
I just think that CMS designers need to examine the whole process and look at the big picture. If you show an email address, a spammer can find it. If you ask your users to clickthrough, the next time they get an email from a phisher, they are going to click it.
Yes, there is a limited level of intelligence to use the internet, but I think we need to be always looking at better methods of implementing CMS design.
The dangers of knowledge trigger emotional distress in human beings.
This is why I use sneakemail for every registration I ever enter. Sneakemail is a (free) mail-forwarding service, that will generate an unlimited number of randomized email addresses, and forward them to 1 of 10 of your addresses. Every forwarded mail has a tag (specificed by you) attached to the subject for easy filtering. The 'From' addresses are mapped os that a responses from you gets sent to sneakemail (where it gets re-sent back to the recipient with the 'random' e-mail address (and all header information removed). In other words, sneamemail is a kind of anonimizer proxy for email. I like this service because (a) I never have to give out my real email address, (b) I know which sites are giving away my email address, (c) I can disble, block, or delete an email address that is being used for spam, and (d) it makes it difficult for anyone to associate an email address to me (In the cases where I don't want to give my real name). Admittedly, you can accomplish all of the above if you have your own domain name, and create addresses for every account (except that (d) becomes a bit harder, as it requires fake information in your domain registration). This is superior to throw away email addresses, which only work for (a), and which if you ever need to receive email from them (say because you lost your password, or they use email as login) you need to remember the address somehow. I can always log into sneakemail and see a list of all the addresses I have, neatly categorized.
Just add "+$SUFFIX" to your username. Example: username+somplaceregistration@gmail.com Then if you start getting spam at that address, jsut adda filter to delete mail to the "+someplaceregistration" suffix. Unfortuantely, some sites don't accept email addresses with "+" in them.
As an on-again, off-again Wikipedian responsible for countless edits as well as several full articles, I used to be happy to leave administrative matters there to others. Such was my bliss, anyway, until I stumbled upon something extremely troubling--something that forced upon me an awareness of the project's astonishingly careless attitude toward privacy and security. This is the product, apparently, of an obsession with countering vandalism so all-consuming that administrators are even willing to expose unlucky bystanders to identity theft.
This is what I discovered.
A Wikipedia developer, intending to catch sockpuppet accounts (multiple accounts created by the same individual), queried the user database for a list of accounts whose passwords matched passwords belonging to known vandals and trolls. Hoping the results would be useful to others, he published his findings on his user page. Of course, such a list necessarily included anyone who happened to be using, merely by coincidence, the same passwords as the targeted individuals. As a matter of fact, it seems likely that the dragnet caught at least some people by chance alone. But only the people on the list could know for sure.
That in itself sounds unfortunate, but none too dangerous. The horrifying punchline is this: in publishing the results of his query, the developer had effectively given these vandals and trolls a list of usernames with whom they shared a password. And once so equipped, the vitals of each compromised account--including the email address--were just a login away.
Leaking people's passwords, usernames, and email addresses to anyone is damaging enough, let alone to established miscreants.
Anywhere else, a mistake like this would be acknowledged, the offending information removed, and the potential victims notified. Not so on Wikipedia, where the list spawned nothing but a protracted debate and then a vote to remove the page. In a second blow to Wikipedia's reputability--the first being the mistake itself--the vote finally succumbed to addled logic and shortsightedness, as did a motion to restrict its visibility to site administrators. And so the page has remained linked and visible now for almost a full year, a threat to any innocents listed therein and an affront to anyone with an interest in their privacy and personal security.
Imagine if you were on that list. (In fact, maybe you are.) Wouldn't you wonder how it was possible for Wikipedia to expose your password to malicious users for the better part of a year? Wouldn't you marvel that no one had alerted you?
I don't mean to single anyone out here, which is why I've refrained from mentioning the name of the careless developer. The real indictment, in my view, is of the process that:
It is my opinion that this incident is only symptomatic of a larger problem: Wikipedia's tradition of policymaking by ad hoc polling. It is also, perhaps, a harbinger of disasters to come. A draft privacy policy offers some hope, but interest in its adoption appears to have stagnated.
For the foreseeable future, then, it would be unwise for anyone to entrust their privacy to the Wikipedia site, when the project's developers and administrators have so clearly demonstrated a severe unfitness to guard it, to say nothing of a callous contempt for the real-world safety of contributors.
----
Note: If my anonymity gives you pause to question my credi
http://www.bilsystem.com/paypal_export.php This dude puts up the paypal username and addresses.
I remember, when I was designing the login system for a website of mine (which has since been taken down), I hashed the user's password along with their username, simply so that I wouldn't be able to tell who had the same password (and thus, neither would anyone else who got my database somehow.)
You just don't give out info about people's passwords. At all. Yeesh.
Breaking Into the Industry - A development log about starting a game studio.
Yes, the biggest issue is here: 1. People who use dictionary words as passwords are likely to use that password for everything/nearly so. 2. These people may have their email posted in their profile. 3. This email account may have email from their banks, etc. 4. The banks, etc. likely have this same shared password (People are more likely to use different banking passwords, but how about other accounts that still have purchasing ability?). This gives the suspected trolls (Who likely care less about, and have less damaging data on their accounts, likely using throw-away email accounts anyway, therefore not caring about strong passwords.) access to passwords of other people with more at stake to lose. I bet one of those lists is a list of everyone with the password "password". (Though that is more likely to be a "It's just Wikipedia, I don't care" password, therefore less damaging).
I hate grammar Nazi's.