[Owasp-leaders] email verification

Matt Tesauro matt.tesauro at owasp.org
Fri Mar 17 14:46:17 UTC 2017


Just to pile on, I don't even have a very common last name and I've gotten:

   - Loads of information for a mtesauro that's apparently in a retirement
   home in the UK (I'm in Texas)
   - Information for a high school wrestler in New Jersey
   - A Uber account for for someone in the north east United States

For any of these, if the password reset mechanism uses an email
verification loop, I could take over the accounts should I choose to go to
the dark side.  Its happened enough that I have a 'not-me' label in Gmail
to filter these into.

Cheers!

--
-- Matt Tesauro
OWASP AppSec Pipeline Lead
https://www.owasp.org/index.php/OWASP_AppSec_Pipeline
OWASP WTE Project Lead
*https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project
<https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project>*
http://AppSecLive.org <http://appseclive.org/> - Community and Download site


On Fri, Mar 17, 2017 at 8:16 AM, Lucas Ferreira <lucas.ferreira at owasp.org>
wrote:

> Hello Ali,
>
> I have a similar experience: there are a couple of guys that keep using my
> gmail address to enroll in multiple web sites. so I end up getting their
> private stuff, from invoices, to credit card statements to college emails
> about homework. I can also easily impersonate them in most sites they use
> my email in and change passwords, names or even to see their private info.
> In some cases, I could use the services they pay for (music streaming, wifi
> providers, Netflix, Uber, etc).
>
> So, there are security implications in not verifying the email address.
>
> Best regards,
>
> Lucas
>
> On Fri, Mar 17, 2017 at 6:01 AM Ali Khalfan <ali.khalfan at owasp.org> wrote:
>
>> My thinking exactly
>>
>> Possibility of leakage of info is huge
>> I think the additional step is worth it
>>
>> On March 17, 2017 12:45:19 AM GMT+03:00, Jeremy Long <
>> jeremy.long at gmail.com> wrote:
>>
>> From personal experience, and having a common name that I use for my
>> email address - yes verification should be required. I've recieved balance
>> and payment due notices from American Express for a different Jeremy Long,
>> I've received Uber receipts from another Jeremy Long in Florida, I've
>> recieved amusment park tickets for a Jeremy Long in California, etc.  The
>> most fun of those was AmEx, try calling a financial institution and asking
>> them to remove an email address from an account that I could only provide
>> the last 4 digits of the account and email address.
>>
>> Jeremy
>>
>>
>> On Mar 16, 2017 4:48 PM, "Ali Khalfan" <ali.khalfan at owasp.org> wrote:
>>
>> I'm interested in soliciting opinions regarding e-mail address
>> verification when users enroll in e-banking/e-learning/e-government
>> services.  Should this always be a necessary step that a user should
>> verify that they own the e-mail ?
>>
>>
>> what would be the risk if the user's ownership of the e-mail is not
>> verified?   I know this may sound like an obvious question, but I keep
>> seeing many critical services (such as e-banking) where users' ownership
>> of an email address is not verified.
>>
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>> --
>> Sent from my Android device with K-9 Mail. Please excuse my brevity.
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
> --
>
> Homo sapiens non urinat in ventum.
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20170317/4c0a2e60/attachment.html>


More information about the OWASP-Leaders mailing list