update: The developers have now changed this on the site, email addresses are not revealed. However it is still revealing the domain of the email address, which, while not quite as bad, actually isn’t necessary and still leaves a hole. The pattern skitchusername@emaildomain.com, in my opinion, has a good chance of being a valid email (especially on privately owned domains that have catch-all aliases). Why reveal *any* part of the address? Users will either get a reminder email or they won’t!
–
In this day and age, it’s 2000 and f*cking 8 FFS!
So what’s happening here..
As I finally got around to signing up for a Skitch alpha/beta/whatever (Thanks Jimk) I thought I’d just check to see if I already had. I tried my usual login details that I pretty much use everywhere for non-critical accounts. Both the usual usernames/nicknames were taken. Now this isn’t unusual, but as an early adopter this is rare for me.
I then decided to go and try and retrieve a password for one of those accounts (it’s possible it was me). Providing a username or email address should confirm that the account exists or not and then send the password reset instructions to the registered email. If this was my account, I would receive the email.
In Theory, that’s a relatively ok way of doing that process. What went wrong was this.. Having entered just the usernames, I was then shown a screen that contained the email address for that account. It was not my email address.
Recap:
- email addresses are shown by providing any username
- usernames are used as personal URLs, thus easily found
- this is possible without being logged in, thus untraceable
Why is this a bad thing? Well apart from the obvious reason, it wouldn’t be very hard for someone to script up something that could systematically discover usernames, and thus email addresses.
Please, Please fix this!
There are surely other examples of this behavior, how long will it go on?
P.s. I really actually like Skitch, it’s a great tool. I’ve been using GrabUp more though, it’s much simpler.