I listened to a podcast today which gave me pause… the guy was talking about “social engineering”, how it’s possible to get information on people just based on their email and some other scant pieces of information.
Apparently that’s how Scarlet Johanson’s pictures were leaked–she’d left a bunch of information online like the name of her pet, what high school she went to, etc, and a hacker could use that to get into her email.
Disturbing, but what disturbed me more was his statement that “I can use your email to see what online forums you’re a member of”. First of all, I presume that’s only the forums where you make your email public? Are there programs or search engines that allow people to put in your email and discover what forums you’ve logged into with that email, even if the email is kept private?
I’ve posted on a few forums here and there, and though I never wrote anything too horrible, I wouldn’t want a prospective employer or snoopy ex-girlfriend getting to see that.
On some websites, they could probably try to log in as email@example.com and depending on the error they get back (invalid email or invalid password) know whether you’re registered there.
And almost always, trying to register with an existing email account will result in an error saying such. So if they went to Pervs-R-Us.com and tried to sign up as you but your email was already in the system, that’s a likely sign that you’re already a member there. This is even more the case when the website requires an activation link in your email, because that’s de facto proof that somebody with access to your email account signed up (or they wouldn’t have gotten the activation email).
Leaving stuff on the internet such as favourite pet, your mother’s last name, etc. can be used to answer your “secret” question and so reset your password. Most sites this isn’t possible any more. But I believe you could swap the receiving email address where the new password link was sent to for your own.
As a web developer, I want to ensure everybody that that is considered bad practice in the field.
The error for a invalid username or password should always be vague enough so you can’t tell whether the username or password was in error. (Not just the message displayed to the user, but the message from the authentication server as well.)
It’s rare you find a website that makes this mistake, but there are millions of websites.
(ETA: My contradictory opinion is that the internet is a very insecure place and vulnerabilities are discovered daily and fixed monthly if you’re lucky. Many web developers, me included, have a very poor grasp of security principles. And even the big boys routinely fuck up. Your information, once online, is never truly safe.)
But what if someone tries to register as a new user with your email address? They would either succeed, or get an error message saying that email address is already registered (which tells them you are a registered user of that site).
Wow, this is really interesting. Facebook DOES give different messages for wrong password and nonexistent accounts, but it only displayed account name and profile picture for my account, so I think it only does that if you’ve logged in on this computer recently.
They could just say “Thanks for registering. The email you used was firstname.lastname@example.org Please check your inbox for an activation message. You will not be able to log in until you activate your account.”
And then to the actual email address, assuming it was already registered: "Somebody tried to register an account with your email address at our website, but you already have an account! Click here to reset your password.
If it WASN’T you, just ignore this email. You won’t get this message again for another month. You can also log in to your account to disable these notices for good."
I googled mine and just get a handful of Firefox bugs I’ve reported. (Make sure you use quotes, or it may search for just your username.) Bugzilla seems to be the odd site out in actually displaying your email address.
I’m sure that they could get more information from stuff that’s been hacked, though. And, yes, there’s almost always a way to see if you’ve used a particular email to register on a website. The vague error messages only stop the stupidest of scammers and cause a bit of inconvenience to legitimate users.
A very few sites may warn you if someone tries to sign up with your email (ala Reply) but they’re so few I don’t even remember which one(s) it was.
Did they mean they can do this after breaking into your email or just by knowing your email address? Just knowing the address would be hit and miss but if they break into it, you may have various emails from forums that they could see.