[Opensource] Interesting Security Issue

[Michael Rimov]

Hi Folks,

Ok, so this is for high end security, but it's a good point.  From the 
Cryptogram news letter from Counterpane Labs.


-----------------------------------------------------------------------
   Expired Domains, E-Mail Addresses, and Passwords



A very common feature of password-protected Web sites is the ability to 
request that the password be e-mailed to you.  The idea is simple: people 
forget their passwords and need to be reminded of them.  It's a reasonable 
security assumption that the e-mail address of the person is secure, so it 
is reasonable to e-mail the password to them.  (You can argue about the 
wisdom of e-mailing the password unencrypted, but I don't think 
eavesdropping is the attack we're worried about here.)

Here's a clever attack to exploit this feature.  Step 1: Buy an expired 
domain.  Step 2: Watch all the spam come in, and figure out what e-mail 
accounts were active for that domain's previous owner.  Step 3: Go to an 
account-based site -- eBay, Amazon, etc. -- and request that the password 
be sent to those accounts.  If the people with those accounts didn't bother 
to change their e-mail address when the domain expired, you can collect 
their passwords.

Someone tried that with an expired domain and eBay accounts, and found that 
-- if he wanted to -- he could have collected a few passwords.  Moral: when 
an e-mail address deactivates, everything associated with that address 
should be deactivated as well.

<http://www.auctionbytes.com/cab/abn/y03/m05/i15/s01>
---------------------------------------------------------------------------

						-Mike