Recently, I decided to follow-up one of the many emails I receive from a company I've never heard of, implying I have an account with them. I usually assume they are spam, but this looked like a genuine case of someone accidentally using my email address and the service not verifying it. Long story short: via their password recovery, I now have the user's plaintext password, and several personal details including address, age, phone number, and mother's maiden name.
I emailed the company (a US mobile phone company I haven't heard of; I'm based in the UK) and their response was along the lines of "call us (at your expense) and tell us your phone number and we'll sort it out". In the end, out of sheer frustration, I reset the account's email address to that of the company's WHOIS technical contact; that was the safest way I could think of getting my email address off the account.
Google, of course, handle this kind of thing properly. But for every google, there are thousands of companies who will give your personal data away without a care in the world.
I once had someone sign up for an electronic voicemail service with my email address. I was getting all their voicemail, including once about 50 in the space of an afternoon from a clearly distressed client of theirs. It took a very long email chain with customer service explaining that I couldn't log in to the account to change the email address because I didn't have the password and the account wasn't mine. A similar thing happened with a Playstation Network account.
Web developers: Please make sure to include a "Didn't sign up for this? Click here to disable/unsubscribe" option in sign up emails, rather than assuming that the person receiving the email is the correct person who knows the password.
To be fair, I have accidentally clicked on the "oh yeah, confirm this email address" when I suddenly realize "no, wait, I created that account with my other email address... what the heck is this?"
More of a problem with common big-name services like Facebook and Apple ID and whatnot.
Thank you. This is what is frustrating. One of the worst offenders for me was reporting a vulnerability to http://www.gogvo.com/ - the vulnerability did end up getting patched (so, that, at least, was a plus), but..
Did I get any sort of response to the disclosure email? Nope. That said, if not getting a reply was the only issue, I really wouldn't care.
What did I get? Added to a spam newsletter from gogvo/Joel Therien:
"true 100% commissions for life!!"
"How To Take ACTION In Your Business LIVE tomorrow night!"
Thanks, gogvo, for that.
On the other hand, for every gogvo, I've had a handful of companies sincerely thank me for my reports. It varies a lot.
I own an email account that people could put for their email when they don't want to give an email. Something like test@domain.com. I have gotten emails that indicate people (not me) have signed up for services with it. I created it for throwaway accounts.
The funny thing about mine is that it's a pretty standard [name]@gmail.com, yet I get an awful lot of stuff claiming that my address has been signed up for various things - often in the 'youth social media' vein. I'm never sure whether people are just entering a random email address, or if this is spam.
Nice write up. While checking to see if Google's "Hall of Fame" [1] was updated yet, I noticed that their reward program is actually really active. Here are some stats compiled about the Reward Recipients and Honorable Mention pages, based off these numbers, they are dolling out a cash reward roughly every 1.8 days!
Back in the day, the "Hall of Fame" for this kind of exploit would be a .txt file sent to full-disclosure, detailing the exploit and sending "greetz" to your "crew" (or if you were lucky, posted in a periodical of note like Phrack).
Now the fix comes out before anyone gets harmed by it, AND the person who discovered it gets PAID for it. Whoever thought up the rewards program is keeping people safe and still giving hackers a good reason to keep hacking. The future is amazing.
I always love reading writeups of these vulnerabilities.
On a related note, I love that bug bounty programs are becoming more popular. Still too rare, but great. That said, the majority of companies out there still make reporting vulnerabilities tough. I've reported a number of vulnerabilities, and all but a few companies had no security@ email address nor a security contact under Contact Us. The tech/admin contact of the DNS record often does the trick, but doesn't always work.
Please, companies, make it easier for us to report security vulnerabilities!
I have a remote DOS and possible code execution on one of the world's most widely deployed desktop applications. Their security team has been on top of it (got back an initial human response and responsible team member within 48 hours, etc), but the nature of the beast means that all subsequent steps take weeks to months. I can't remember off the top of my head, but I think we're at 4 months and counting.
Professional courtesy suggests I should not confirm nor deny that. Let's just say that AmaGooBookSoft all have surface areas larger than the Death Star, and it is highly, highly unlikely that any of them have found all the exhaust ports yet.
That is very fast for something at a huge scale like Gmail. They had someone responsibly disclose the exploit so they fixed it quickly but not so quick as to destabilize Gmail by not properly testing/deploying. Making changes to software used by millions is not that easy.
The last exploit I found in windows took about 6 months to get patched (this was in 2010, they may have improved). It was a 'ping of death' style instant bluescreen from one packet kind of exploit.
10 days is _nothing_.
That is sad. There should be a some kind of TOS for public internet companies. While this kind of exploits does not hurt google but they can be very dangerous for users.
Sounds like it would be a good extension to Data Protection / Computer Abuse/Misuse Acts depending on what it allows access to. Anyone pointing out a failing in your system should not be prosecuted unless they've actually committed a crime.
At first I thought it was odd and weird too. After some more thought, and correct me if I am wrong, there weren't any differences between them. They both are tokens that are generated and verified by the server, except a CAPTCHA actually requires human interaction.
Vulnerability Reward Programs are getting more and more popular. @homakov and @bef0rd made a script for collecting all people listed in a security "Hall of Fame":
I emailed the company (a US mobile phone company I haven't heard of; I'm based in the UK) and their response was along the lines of "call us (at your expense) and tell us your phone number and we'll sort it out". In the end, out of sheer frustration, I reset the account's email address to that of the company's WHOIS technical contact; that was the safest way I could think of getting my email address off the account.
Google, of course, handle this kind of thing properly. But for every google, there are thousands of companies who will give your personal data away without a care in the world.