It is an incredibly **stupid **thing to include links in the email that do not lead to the actual web page the link shows.
When the text is http://boards.straightdope.com/sdmb/profile.php?do=editpassword, but the status bar shows me the link is actually going to go to http://click.suntimesmail.com/?ju=<secure token>&ls=<secure Token>&m=<secure token>&l=<secure token>&s=<secure token>&jb=<secure token> my hackles go up. Yes, I understand that the straight dope is owned by the sun times and this email likely would have logged me in and brought me to the edit password page, but that’s not the point.
The point is that as a computer professional I have beaten every friend that’s ever been hacked that a) a link in an email that is going to a different destination than it appears to be going to on the surface is a warning sign and b) you should then open a new web page, surf to the site in question manually and see if they have any notice there about being hacked instead of clicking on a suspect link in the email.
I know I’ve seen exactly that advice on this board more than once, so why, oh why would you then send an email with not one, but two links that go to addresses other than that shown in the text?
It was probably an innocent human error. The thought process was probably first and foremost “How do we contact all of our users?” The answer was use the Sun Times mass mailing system. The mass mailing system is probably never used to send mass emails about account compromise - it’s used to send email to people that subscribe to various Sun Times emails. So having link tracking is crucial.
There’s probably a way to turn link tracking off. But either someone from the SDMB did the sending and wasn’t aware of the option (or even wasn’t aware that links would be altered) and just wanted to get the email out. Or someone from the Sun Times did it on behalf of the SDMB and just didn’t take into account the message being sent and failed to turn off tracking.
This is the sort of stuff that happens when there’s a bit of an emergency and people get stressed and don’t think things through. Unfortunate, but what are you going to do? Who do you fire?
I didn’t use the link, but I’m not sure why. Not because I checked it – I didn’t. Oh well, my arbitrary decision turned out to be the right one, at least.
As long as that fact is out in the open, I have a question: Anybody who gets into my email, and opens that link now apparently has a free pass to change my password. So, I should just delete that email from my inbox now, right?
Nope. Going to that link is exactly the same as going in to the control panel here and clicking “change password”. You still have to enter the old password, even when you’re already logged in. There is nothing dangerous about the email that they sent out. (That said, I agree with the OP in that it looked suspicious because of the url and that it was a bad decision/unfortunate oversight, depending on how much thought went into it.)
Should I be concerned that I have not, apparently, gotten an email from either SDMB or Sun Times, either in regular mail or my Spam folder? I suppose I’d better check ATMB…
ETA: Never mind, I found it and I changed my password.
Really? The “old password” field was populated with seven asterisks. I changed my password to one with a different number of characters, and left the page. I then went back in through the email again, and now the field was populated with a number of asterisks consistent with the new password I had chosen.
I have not logged out of the Dope to test my observation, but my inference is that I did successfully change my password without proving to the page in the link that I had the authority to do so.
That link goes to the generic password page. If you click on it while logged in to the SDMB, you have access to the page for the account currently logged in. If you forwarded it to me, and I clicked it, it would go to my password page. If you forwarded it to your Aunt Gladys who presumably doesn’t have a SDMB account, she would click on it and land on a page that says “you gotta be logged in to access this page.”
If your existing password was filled in on that page, that was a function of your browser and/or password manager. It would be counter-intuitive for it to be a fiction of vBulletin.
If someone has access to your e-mail they can just request a new password anyway, assuming they know/guess that you have a Straightdope account connected to that e-mail address.
The existing password field should NOT already be populated, not even on a computer where the user is already logged in, and if the password change page is correctly coded it won’t, regardless of browser. That’s to prevent someone from walking up to your computer while you’re away and resetting your password.
All right, well…it’s still not coded to pre-fill your password. If that is happening to kaylasdad99 then it’s because he’s got a password manager (or a browser) that is doing it for him and the box doesn’t disallow it.
The field is type “password”. What else should be added to prevent it?