Skitch revealing users email addresses
update: The developers have now changed this on the site, email addresses are not revealed. However it is still revealing the domain of the email address, which, while not quite as bad, actually isn’t necessary and still leaves a hole. The pattern skitchusername@emaildomain.com, in my opinion, has a good chance of being a valid email (especially on privately owned domains that have catch-all aliases). Why reveal *any* part of the address? Users will either get a reminder email or they won’t!
–
In this day and age, it’s 2000 and f*cking 8 FFS!
So what’s happening here..
As I finally got around to signing up for a Skitch alpha/beta/whatever (Thanks Jimk) I thought I’d just check to see if I already had. I tried my usual login details that I pretty much use everywhere for non-critical accounts. Both the usual usernames/nicknames were taken. Now this isn’t unusual, but as an early adopter this is rare for me.
I then decided to go and try and retrieve a password for one of those accounts (it’s possible it was me). Providing a username or email address should confirm that the account exists or not and then send the password reset instructions to the registered email. If this was my account, I would receive the email.
In Theory, that’s a relatively ok way of doing that process. What went wrong was this.. Having entered just the usernames, I was then shown a screen that contained the email address for that account. It was not my email address.
Recap:
- email addresses are shown by providing any username
- usernames are used as personal URLs, thus easily found
- this is possible without being logged in, thus untraceable
Why is this a bad thing? Well apart from the obvious reason, it wouldn’t be very hard for someone to script up something that could systematically discover usernames, and thus email addresses.
Please, Please fix this!
There are surely other examples of this behavior, how long will it go on?
P.s. I really actually like Skitch, it’s a great tool. I’ve been using GrabUp more though, it’s much simpler.
July 31st, 2008 at 5:16 pm
good catch i will contact Skitch as well and hopefully they will get this sorted.
By the way jimk.co.uk is gone :(
i have http://www.jlk.me now (nned to build the site now.
July 31st, 2008 at 7:54 pm
Hello!
Thanks for this bug report, Josh!
We always take security and privacy concerns very seriously when designing our dialogs, but this one has slipped through the net undetected for too long :(
I’m pleased to announce has been fixed on our live systems now in accordance with how this is solved at blogger.com (showing the domain name of the mail account being sent to).
Hopefully, this should cover any concerns you have :)
Øyvind Selbek
plasq LLC/Skitch.com
August 1st, 2008 at 2:52 am
hey Øyvind,
that’s great, good work :)
i spotted it a while back and had forgotten. good to know you’re on top of this sort of problem. i’ll check it out and update this post!
thanks!
August 4th, 2008 at 6:01 am
Hey Josh, you should come work for me you you’re clearly good at bug hunting :P
I like grabup too, I find myself using it instead of Skitch occasionally, although I still find Skitch indispensable when you have to do some basic cropping and adding of comedy text before upload :)
If Skitch had basic layers support/transparency I’d probably never need to launch Photoshop!
BTW this is the first time I’ve happened across your blog, last time i came to this URL I think it was just your repository of links to various stuffs.. I’m adding this to my RSS feeds in Mail so I’ll be back ;)