Hacker News new | ask | show | jobs
by tluyben2 1485 days ago
I have seen sites that are vulnerable to this;

- the hackers signs up with xxxx@gmail.com via the normal email/pass way

- the email arrives in xxxx their mailbox but it is ignored (might even be flagged as something they don’t read anyway because, for now, it’s an unknown service)

- the user, at some time in the future, goes to the site and signs up (they think) by clicking ‘sign up with Google’

- the site now merges the former account with the latter and signs in the user; because signing in with gmail, there is no email link that has to be clicked

The site’s ( erroneous ) db entry is now a validated (via sso) account with a manual password; the hacker can now login with the password they set in the first place while the real user logs in via the Google sso link.
5 comments
Pxtl 1485 days ago
> the email arrives in xxxx their mailbox but it is ignored (might even be flagged as something they don’t read anyway because, for now, it’s an unknown service)

Most services don't even offer a way to resolve this.

There is never a "this email does not belong to the person who created the account and should be detached from it" link.

link
CrimsonRain 1484 days ago
Those who do, don't have a way to prevent it in future.

Some same guy keeps using my email address as their recovery email for Gmail every few days. And I have to detach it again and again. Amazing spam by Google. Nobody can do anything.

link
hddqsb 1484 days ago
I'm curious, have you ever tried contacting that guy and explaining that he shouldn't use your email address?

This design seems like a surprising oversight on Google's part. The correct design is to only add the recovery account if a verification link is clicked (which is in fact what they do for enabling mail forwarding). That way you could simply create a filter to mark the requests from that guy as spam. However, being the recovery address of this guy doesn't seem like such a serious problem – it should be relatively easy to filter the emails that Gmail sends to recovery accounts (something like "from:no-reply@accounts.google.com <guy's email address>").

link
yellow_lead 1484 days ago
I can think of a way to permanently correct that :)
link
tluyben2 1485 days ago
We simply have both status (not verified) and a type (password) fields; so an type sso login or signup will never encounter a type password record and a not verified record will never let you get logged on. Then we purge not verified records every few days.
link
Gigachad 1485 days ago
The cumbersome way would be to confirm the email, do a password reset and then deactivate the account.
link
Pxtl 1485 days ago
I'm hesitant to do this because occasionally I've been blocked by some second factor for password resets, but at that point I've confirmed the email.
link
ridgered4 1484 days ago
I would expect a phone number link request at that point for suspicious activity, which actually is suspicious this time. And that is assuming it's even possible to deactivate the account without going into a black hole phone tree which is what I expect these days. Even if you successfully deactivate it, a service you aren't using now has data on you that won't ever actually be deleted. Trying to fix it feels like it's almost playing into the scammer's hands.
link
Pxtl 1484 days ago
They're not scammers - I've just got a firstname.lastname@gmail account which means a zillion confused people think they're me.

https://xkcd.com/1279/

link
ziml77 1484 days ago
Yes this is so annoying! I think it also sometimes happens when email addresses are communicated through speech instead of writing.

Though I tend to just block the sender domain (because they're always from services that I'm never going to use anyway) and ignore the email just on the off-chance that someone is trying to scam me in some weird way. (Plus I really just don't care enough to deal with it unless the email is clearly important or sent by an actual person)

link
croon 1484 days ago
I've stuck to using only email logins simply for less reliance on google (or any other specific service) and getting unique logins for every new service. I'm glad there's now a security benefit attached to it as well, even if I would have never imagined it myself.
link
xeromal 1485 days ago
That's pretty clever. Thanks for sharing the thought process!
link
steve_taylor 1485 days ago
It used to be standard for signup forms to include only the email address. It was thought to decrease friction. At some point, someone decided it was better to ask for a password upfront, then it became the new standard.
link
x86_64Ubuntu 1484 days ago
Is that why I constantly get emails saying that I've signed up for various online services that I've never heard of?
link
ziml77 1484 days ago
Is your email address something like [fullname]@gmail.com? Because in that case it's more likely that someone is either confused about their own email address or just made a typo and left out the number they put after the name they happen to share with you.
link
x86_64Ubuntu 1484 days ago
It is in the form of [fullname]@gmail.com. It got so bad to the point that I called the guy and we spoke. Now when I see an email from an org in his state, I automatically forward it to him. My email for instance is firstlast@gmail.com, his is firstllast@gmail.com and he forgets to put the 'l'.
link