Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gaining Info On Tech Execs With Just Their Email

Posted by Unknown on from the mark-zuckerburg-revealed-as-closet-myspace-fan dept.

jfruh writes "Did you know that Craigslist founder Craig Newmark has a loyalty points account with the Starwood hotel chain? Did you know that both Tim Cook and Steve Ballmer have Dropbox accounts? All this information — and much more — can be found out because so many prominent executives use their corporate email address for their account logins, and most sites make it possible to see if an email address is associated with an account even if you don't have the account password. Just knowing that such an account exists can lead to technical and social engineering attempts to crack it, as happened in the case of Wired's Mat Honan."

8 of 75 comments (clear)

  1. Any way around this? by jbuk · · Score: 5, Interesting

    Is there any alternative to throwing out a "this email address is already in use" error if a user attempts to register with someone else's email?

    1. Re:Any way around this? by jeffmeden · · Score: 5, Insightful

      Is there any alternative to throwing out a "this email address is already in use" error if a user attempts to register with someone else's email?

      Sure, flag the account for extra auditing in the following x number of hours. Or, start any registration with an email call-back and let anyone "start" the registration even if it exists, and in the email just put "you're already registered, your work here is done. That or, someone is trying to hack you, please ratchet paranoia accordingly". Since you shouldn't be registering with an email that isn't yours and the web page will just be a "please check your email for registration info" this will not tell the illegitimate user anything useful.

    2. Re:Any way around this? by omnichad · · Score: 4, Insightful

      Sending the verification email at this step before letting them pick a password or complete their profile. The web site acts like it's a new account registration. The contents of the email sent will tell you whether it's already been registered or if it's a new account - and the link would either be to reset the password or to continue creating the account.

      That seems to do it. It's not terribly convenient for some, but it shouldn't be that much worse than the already existing email verification you see every day - just at an earlier step.

  2. Hate using my Email address as log in by Nyder · · Score: 5, Interesting

    Always thought it was a bad idea. I was helping a buddy of mine get some online game going, and the place (EA Games) wants your email address as your log in ID. But my buddy, is like, "why do they want my email's password?" I try to explain, "They don't. They want you to use your email as your log in info, but make a new password." I'm pretty sure he used the same password as his email password. And honestly, that is way too easy to do like that.

    --
    Be seeing you...
    1. Re:Hate using my Email address as log in by Leif_Bloomquist · · Score: 4, Informative

      This is where services like Mailinator are invaluable. Just create a throwaway email address for each of all these stupid logins.

      I take it a step, further, though: I own my own domain and have made it a practice of using a custom email address for each site I need to log in to, i.e. sitename@mydomain.com . This way, each login is unique *and* I can track who is giving out my email address as spam.

      Yet the emails all go to one central inbox, so it's not inconvenient to get/search the confirmation messages.

    2. Re:Hate using my Email address as log in by KhabaLox · · Score: 3, Insightful

      You don't have to create extra email address with Gmail. You can use periods or '+' to create custom email address that still get delivered to your inbox. Then you can set up filters or rules to treat them accordingly. For example, you could sign up with a site with "yourname+sitename@gmail.com" and the email will go to "yourname@gmail.com". So you can track address leaks/sales, or auto-delete/auto-star/auto-file emails from certain sites.

      --
      Ceci n'est pas un sig.
    3. Re:Hate using my Email address as log in by Cormacus · · Score: 4, Interesting

      Unfortunately a lot of the same sites where you would want to use this kind of information gathering (adding the "+thisSite" to your email address) refuse to validate email addresses with the '+' character. I've run into this in more than a few places.

      --
      Mon chien, il n'a pas du nez. Comment scent-il? TrÃs mauvais!
  3. Re:Use a virtual email address by Anonymous Coward · · Score: 3, Informative

    +notation is not a virtual email address. It's good that gmail follows the RFC.