Is this MetaFilter feature a security issue? April 11, 2012 11:45 AM Subscribe
Is this MetaFilter feature a security issue?
Most sites have ways to recover a username with the email associated with the account, and MetaFilter's is located here. Unlike other sites I have seen, MetaFilter displays the username associated with the email in the browser as opposed to emailing the account used. I know that some users may wish to keep their identities secret, and this publicly links their email with their account. Is this a security issue?
Most sites have ways to recover a username with the email associated with the account, and MetaFilter's is located here. Unlike other sites I have seen, MetaFilter displays the username associated with the email in the browser as opposed to emailing the account used. I know that some users may wish to keep their identities secret, and this publicly links their email with their account. Is this a security issue?
It's a security issue only if you are concerned about someone mis-using MetaFilter under your name, or if you have some secret info in your MeMail and nowhere else.
It seems MetaFilter is not a prime venue for personal attack, but I could be wrong.
posted by filthy light thief at 11:53 AM on April 11, 2012
It seems MetaFilter is not a prime venue for personal attack, but I could be wrong.
posted by filthy light thief at 11:53 AM on April 11, 2012
Suppose I'm compiling a dossier on a political dissident. I've already found one of their email addresses.
Now I'm searching for that address in various places and entering it into various web forms to see what happens. (MetaFilter isn't exactly unique in having this feature, so I might try.)
I happen to enter it into the password recovery field at MetaFilter and thereby confirm that this person has that account name here-abouts.
I add all that user's posts and comments to my dossier.
I search for other sites with a user by that name.
If I have some limited password-breaking resources, I now know that I could fruitfully apply those to this account at MetaFilter.
I guess this is more of a privacy risk than a security risk, if that distinction even means anything
posted by LogicalDash at 11:56 AM on April 11, 2012 [2 favorites]
Now I'm searching for that address in various places and entering it into various web forms to see what happens. (MetaFilter isn't exactly unique in having this feature, so I might try.)
I happen to enter it into the password recovery field at MetaFilter and thereby confirm that this person has that account name here-abouts.
I add all that user's posts and comments to my dossier.
I search for other sites with a user by that name.
If I have some limited password-breaking resources, I now know that I could fruitfully apply those to this account at MetaFilter.
I guess this is more of a privacy risk than a security risk, if that distinction even means anything
posted by LogicalDash at 11:56 AM on April 11, 2012 [2 favorites]
Can you describe a bit how someone would exploit this?
Knowing an email address means you can know any username associated with it. Assuming usernames are "anonymous," this can unmask them.
posted by Threeway Handshake at 11:56 AM on April 11, 2012 [3 favorites]
Knowing an email address means you can know any username associated with it. Assuming usernames are "anonymous," this can unmask them.
posted by Threeway Handshake at 11:56 AM on April 11, 2012 [3 favorites]
odinsdream, also true. Logged in, I can see Name, Email, Birthday, Location, Occupation, Gender, Status, Also On, and Joined. Not logged in, I only see Name, Also On, and Joined.
Note to those concerned about people figuring out who you are on MetaFilter - be careful about what info is visible on your linked accounts. Someone emailed me directly about a post, and I was baffled how they figured out my email address, until I saw it visible on another social site.
posted by filthy light thief at 11:57 AM on April 11, 2012
Note to those concerned about people figuring out who you are on MetaFilter - be careful about what info is visible on your linked accounts. Someone emailed me directly about a post, and I was baffled how they figured out my email address, until I saw it visible on another social site.
posted by filthy light thief at 11:57 AM on April 11, 2012
Shouldn't it email you your username at a validated email address on file at MeFi HQ, instead of displaying it on-screen?
posted by misterbrandt at 11:57 AM on April 11, 2012
posted by misterbrandt at 11:57 AM on April 11, 2012
Shouldn't it email you your username at a validated email address on file at MeFi HQ, instead of displaying it on-screen?
Right. The proper behavior would be to send the recovery information only to the registered email address. In-browser, the site should say something like "Please check your email for further instructions."
Also, the same message should be displayed for *any* email address input into the recovery field regardless if it is registered or not (hide "email not found" errors, in other words), to thwart people snooping for email addresses by checking for positive messages in it.
It could be a security issue
It is more a "privacy issue" rather than a security issue. It becomes a security issue if the email account is compromised.
posted by Threeway Handshake at 12:02 PM on April 11, 2012 [3 favorites]
Right. The proper behavior would be to send the recovery information only to the registered email address. In-browser, the site should say something like "Please check your email for further instructions."
Also, the same message should be displayed for *any* email address input into the recovery field regardless if it is registered or not (hide "email not found" errors, in other words), to thwart people snooping for email addresses by checking for positive messages in it.
It could be a security issue
It is more a "privacy issue" rather than a security issue. It becomes a security issue if the email account is compromised.
posted by Threeway Handshake at 12:02 PM on April 11, 2012 [3 favorites]
Like LogicalDash says, it's a privacy thing. I can see how there's a concern for someone who contributed to the site not realizing that the registration mail they used could ever be exposed and linked to them.
For instance, my employer knows my personal email address because that's how I approached them to get a job. They also know my fallback address because I use it for IM. So maybe they see some comments of mine revealing inside information about the company, or just saying unflattering things about it, and they suspect —but don't know — it's me. All they have to do is type in the addresses they know are mine to see if one matches the user they're curious about. It's not 100 percent confirmation, but it'd probably be enough to confront me, putting me in the position of either lying and claiming I was framed or confessing.
It's a pretty obscure scenario, but I don't know why MeFi has to do things the way it is. Most sites just ask for your registration address. Some will tell you if they don't have it on file, others don't even do that much: They don't bother showing an error and just don't send a mail. I've always assumed that the ones not returning an error are doing so to prevent people from fishing around.
posted by mph at 12:04 PM on April 11, 2012 [1 favorite]
For instance, my employer knows my personal email address because that's how I approached them to get a job. They also know my fallback address because I use it for IM. So maybe they see some comments of mine revealing inside information about the company, or just saying unflattering things about it, and they suspect —but don't know — it's me. All they have to do is type in the addresses they know are mine to see if one matches the user they're curious about. It's not 100 percent confirmation, but it'd probably be enough to confront me, putting me in the position of either lying and claiming I was framed or confessing.
It's a pretty obscure scenario, but I don't know why MeFi has to do things the way it is. Most sites just ask for your registration address. Some will tell you if they don't have it on file, others don't even do that much: They don't bother showing an error and just don't send a mail. I've always assumed that the ones not returning an error are doing so to prevent people from fishing around.
posted by mph at 12:04 PM on April 11, 2012 [1 favorite]
If the account was compromised, the spy would get the username there, anyway.
posted by LogicalDash at 12:05 PM on April 11, 2012
posted by LogicalDash at 12:05 PM on April 11, 2012
Thanks for expanding on this, everyone. We removed that feature.
If you forget your username in the future you can use the contact form to ask and we'll help you find it.
posted by pb (staff) at 12:05 PM on April 11, 2012 [16 favorites]
If you forget your username in the future you can use the contact form to ask and we'll help you find it.
posted by pb (staff) at 12:05 PM on April 11, 2012 [16 favorites]
Thanks for the quick turnaround, pb, and for calling this out, 200burritos. Sometimes a lot of effort and time are spent on fixing technical security holes, without enough on procedural ones.
posted by davejay at 12:13 PM on April 11, 2012 [2 favorites]
posted by davejay at 12:13 PM on April 11, 2012 [2 favorites]
filthy light thief: "odinsdream, also true. Logged in, I can see Name, Email"
Showing email to logged-in users is blockable as well.
posted by mkb at 12:35 PM on April 11, 2012
Showing email to logged-in users is blockable as well.
posted by mkb at 12:35 PM on April 11, 2012
I figured out Romney's username right before this was fixed. He's prolific, but he doesn't pick up many favorites.
posted by brain_drain at 12:47 PM on April 11, 2012
posted by brain_drain at 12:47 PM on April 11, 2012
Thanks for expanding on this, everyone. We removed that feature.
Removed it right before I started plugging in emails of random folks I know. Thanks for nothing.
posted by Bulgaroktonos at 12:50 PM on April 11, 2012 [2 favorites]
Removed it right before I started plugging in emails of random folks I know. Thanks for nothing.
posted by Bulgaroktonos at 12:50 PM on April 11, 2012 [2 favorites]
Thanks for nothing.
You're welcome for nothing!
posted by jessamyn (staff) at 12:56 PM on April 11, 2012 [17 favorites]
You're welcome for nothing!
posted by jessamyn (staff) at 12:56 PM on April 11, 2012 [17 favorites]
So what's a pony called when it's requesting a feature to be removed? A horse? A negpony? What's the opposite of a pony?
posted by Think_Long at 1:20 PM on April 11, 2012 [1 favorite]
posted by Think_Long at 1:20 PM on April 11, 2012 [1 favorite]
Instead of "I want a pony," I guess it'd be "got one for the glue factory."
posted by mph at 1:21 PM on April 11, 2012 [2 favorites]
posted by mph at 1:21 PM on April 11, 2012 [2 favorites]
A nony.
posted by Scientist at 1:22 PM on April 11, 2012 [1 favorite]
posted by Scientist at 1:22 PM on April 11, 2012 [1 favorite]
A gluejob.
posted by cortex (staff) at 2:30 PM on April 11, 2012 [2 favorites]
posted by cortex (staff) at 2:30 PM on April 11, 2012 [2 favorites]
You all are so awesome. As a paranoid person, I send you hugs and dancing bunnies in waistcoats from my undisclosed location.
posted by winna at 2:46 PM on April 11, 2012 [4 favorites]
posted by winna at 2:46 PM on April 11, 2012 [4 favorites]
Opposite of a pony? : mountain lion or cougar.... om nom nom nom...is tasty.
posted by mightshould at 4:05 PM on April 11, 2012
posted by mightshould at 4:05 PM on April 11, 2012
So what's a pony called when it's requesting a feature to be removed?
A night mare?
posted by mendel at 5:42 PM on April 11, 2012 [1 favorite]
A night mare?
posted by mendel at 5:42 PM on April 11, 2012 [1 favorite]
Thank you so much for bringing this up, 200burritos. Now I can sleep a little better at night knowing that my anonymity on MetaFilter is safe.
posted by scose at 9:59 AM on April 12, 2012
posted by scose at 9:59 AM on April 12, 2012
I'm so happy that every MetaFilter poster is now protected from highly unlikely scenarios! Feelin' like a superhero..................
posted by 200burritos at 12:05 PM on April 12, 2012
posted by 200burritos at 12:05 PM on April 12, 2012
You are not logged in, either login or create an account to post comments
posted by pb (staff) at 11:48 AM on April 11, 2012