In the last week I’ve received a few disturbing notifications from free webapp operators. Both of these, to me, were basic no no’s for responsible operation of a service communicating with its customers. As I was writing to the second provider explaining why I think what they are doing is a bad idea it occurred to me that there should be a way to contribute to the solution. What follows are my rambling thoughts on the matter.
The first case was when I signed up for Oovoo and received my confirmation email. The registration process doesn’t require that you confirm your email address to complete, nor does it ask you to enter it twice, I could have easily mistyped the address. Why do I care? I care because when they did send a confirmation (which was just to confirm my signup, not to verify my email) the email they sent me contained my password right there – in the clear. Awesome! Truth be told, this isn’t the first time I’ve seen this, but previous cases have been from applications I installed, not from a public service. Had I fat fingered that email address, my password (which is shared with other unimportant accounts) would have been in the hands of who knows who. I tend to keep my passwords pretty well segregated, but many folks do not.
I sent Oovoo a nice note asking that they stop doing this, why it’s a bad idea, etc. I’ll give them credit for having a prompt and polite response to my note letting me know they passed the feedback on to their developers.
The second case was today when I received a note from StumbleUpon.com asking me to confirm my email address. This message looked ordinary enough and contained the all-too-easy link to click to confirm your email. My problem? I didn’t do anything to initiate it. I’ve used StumbleUpon in the past but I haven’t used it for many months. Both the fact that I haven’t used the service, as well as the fact that I signed up many months ago quickly got me suspicious. In reading the message further, it appears they’re going to be enabling some new features which will require a valid email address and need to confirm folks email. Fair enough, but there’s a better way than to train the public to trust and click through on these types of messages. So, I sent another email providing my $.02. I was very nice, I always am.
I don’t mean to sound critical of either company, I know they are both doing their best and would do better with a little guidance.
So how do we change this? To me, it’s one thing for a company not to have the more mature aspects of security worked out such as BCP planning, policies and compliance, hiring a guy to manage the whole thing and so on. It is another thing entirely to not know it’s a bad idea to send someone their password in an email, or to not understand the types of email behavior that make phishing today as easy as it is. I see these things as elementary; requisite knowledge for getting your license to build an Internet service. Fortunately and unfortunately, no such requirement exists.
I’m sure there are frameworks that address these types of issues but rarely are those applied to these types of small companies. These are groups of developers doing their best to get a product running and out the door, normally on a shoestring budget. How does the security community at large reach them consistenly and improve this? On one hand, I think I’m looking at a few edge cases. On the other hand, I’d like to think this could be improved. If you have suggestions I’m interested, I’ll be doing my own research and will update here when I find out more.