CNET’s security blunder
Today I tried changing my email address in my CNET account from my Gmail address to my Hotmail address, when I discovered a security flaw. Let’s see what it was.
Established security practices has it that websites or computer software must:
- Challenge user’s authority to change the email address, either by asking for the password again or by sending an activation email to the original email address to which, ideally, only the authorized user knows how to access. This ensure that the change is not triggered by an unauthorized third party who exploited a temporarily unattended computer.
- Challenge the accuracy of the new address, either by asking the user to type the email address twice or by sending an activation email to the new email address.
Usually, websites try to avoid doing both steps by email activation because that would be very frustrating.
CNET did not ask me to re-enter my password or re-enter my email address and instead sent me an activation email, citing “security purposes” as the reason; however, the email came to the new address, not the original.
In practice, the email reads: Dear intruder! If you are seeing this email, it means you have successfully exploited the absence of our member and changed his email address to your own, without a typo. Now, enjoy resetting our member’s password and taking over his account.
CNET and its Download.com are famous for their exceptionally unjust treatment of Microsoft-related subjects (especially security) and their incredibly forgiving reviews of other vendors. I am not a fan of Microsoft myself but neither am I the fan of the pot calling the kettle black.
Posted on 28 December 2013, in Computers and Internet and tagged accuracy, activation, authentication, CNET, Download.com, email, exploit, hacker, password, security, software, typo, website. Bookmark the permalink. Leave a comment.