CNET’s security blunder

CNET certainly gets a kick out of criticizing security issues of Microsoft products, but how good is its own most basic security measures?

For security purposes, we require all email address updates to be confirmed by the email address owner. A confirmation e-mail with the subject "Confirm your updated email address" will be sent to the updated email address provided. Click the confirmation link within the e-mail to confirm this change of address.  Continue.

CNET reports that changing email address requires verification for security purposes. But is it?

Today I tried changing my email address in my CNET account from my Gmail address to my Hotmail address, when I discovered a security flaw. Let’s see what it was.

Established security practices has it that websites or computer software must:

  1. Challenge user’s authority to change the email address, either by asking for the password again or by sending an activation email to the original email address to which, ideally, only the authorized user knows how to access. This ensure that the change is not triggered by an unauthorized third party who exploited a temporarily unattended computer.
  2. Challenge the accuracy of the new address, either by asking the user to type the email address twice or by sending an activation email to the new email address.

Usually, websites try to avoid doing both steps by email activation because that would be very frustrating.

CNET did not ask me to re-enter my password or re-enter my email address and instead sent me an activation email, citing “security purposes” as the reason; however, the email came to the new address, not the original.

CNET's activation email

CNET’s activation email

In practice, the email reads: Dear intruder! If you are seeing this email, it means you have successfully exploited the absence of our member and changed his email address to your own, without a typo. Now, enjoy resetting our member’s password and taking over his account.

CNET and its Download.com are famous for their exceptionally unjust treatment of Microsoft-related subjects (especially security) and their incredibly forgiving reviews of other vendors. I am not  a fan of Microsoft myself but neither am I the fan of the pot calling the kettle black.

Advertisements

Posted on 28 December 2013, in Computers and Internet and tagged , , , , , , , , , , , , . Bookmark the permalink. Leave a comment.

Leave a comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: