Date   

moderated Re: Changing email address security issue #misc

Mark Murphy
 

On Thu, Feb 4, 2021 at 09:57 AM, Peter Cook wrote:
I discourage members from doing that, and my suggestion to them is easier: Just go to their account page and change it there. 
Yes, I should have said that also. Re-subscribing might be the only way for members who are unable to log in to GIO (never logged in, can't remember password, etc.) and have lost access to their original email account.


moderated Re: Changing email address security issue #misc

Peter Cook
 

On Thu, Feb 4, 2021 at 09:54 AM, Mark Murphy wrote:
re-subscribe to their groups with the new email address
I discourage members from doing that, and my suggestion to them is easier: Just go to their account page and change it there. 

Pete


moderated Re: Changing email address security issue #misc

Mark Murphy
 

I reported this issue to Mark privately because I consider it a serious security issue. I believe the potential security implications far outweigh any convenience this feature may provide even to a well-intentioned owner or moderator who wishes to help a member who no longer has access to an email address or who wishes to change their email address.

Maybe I'm missing something about the "need" for this feature. If a member wants/needs to change their email address, why can't the member just re-subscribe to their groups with the new email address? Are there common and valid use cases for owners or mod needing to change the email on behalf of the member, other than "convenience" for the member?

The problem here is that the ability for a user to change their email address is often implemented through an authentication mechanism other than email, such as providing a username and password. Since these are not required in GIO for email only members, there is no alternative authentication mechanism available.

Thank you,

Mark


moderated Re: Changing email address security issue #misc

 

On Thu, Feb 4, 2021 at 06:42 AM, Peter Cook wrote:
I think it's VERY easy. When someone has an issue and needs to change their address, I just tell them to go to https://groups.io/account and change it. It's never been a problem.
Well, for some reason, some people here are complaining that it's been too hard for their members to do, or that it hasn't worked, etc. It looks easy for sure. And it really is not rocket science. So my guess was that something has been going wrong with the "reconfirmation" part of the change, such as perhaps the confirmation email going into the stratosphere. Who knows. i don't believe anyone is making this up. People have been having problems, for some as-yet unknown reason. I also have never had a member who's had a problem with it. I think it just needs to be explained to them clearly, if not by the system itself on the page (which I think could use some clarification), then by the group owner.

--
J

Messages are the sole opinion of the author, especially the fishy ones.
My humanity is bound up in yours, for we can only be human together. - Desmond Tutu


moderated Re: Changing email address security issue #misc

Peter Cook
 

On Thu, Feb 4, 2021 at 09:32 AM, J_Catlady wrote:
system has not made it easy enough for them to do
I think it's VERY easy. When someone has an issue and needs to change their address, I just tell them to go to https://groups.io/account and change it. It's never been a problem.

Pete


moderated Re: Changing email address security issue #misc

 

On Thu, Feb 4, 2021 at 03:50 AM, Robert Oshel wrote:
Wouldn't having the system send an email sent to the original address (the one being changed) requiring a confirmation that the change to the new address is legitimate before the change goes into effect solve the problem?
I think it may (although my gut tells me that unforeseen problems could still ensue). As others in this thread have pointed out, and with which I strongly agree, requests by members for help making groups.io-wide changes to their accounts, such as their very identity (email address) in the system, should go to groups.io if the member themselves can't navigate the change, and not to an individual group owner. Just as today Mark posts about an unforeseen problem, I would bet there will be others, even with this suggested confirmation/notification, due to the entity making the change (group owner) being at the wrong level.

I think the problem is not that these users having trouble changing their email addresses are technically challenged, or too old, or however others here have described them. The problem is that the system has not made it easy enough for them to do. Why not fix that real problem instead of going through contortions to put bandaids on it?
 
--
J

Messages are the sole opinion of the author, especially the fishy ones.
My humanity is bound up in yours, for we can only be human together. - Desmond Tutu


moderated Re: Changing email address security issue #misc

 

On Thu, Feb 4, 2021 at 02:04 AM, Andy Wedge wrote:
There is one member that I know of who has membership to another group but that's it.
In my group, and in many or most of the cats groups, probably between 50% and 90% of the members are in other groups.
 
--
J

Messages are the sole opinion of the author, especially the fishy ones.
My humanity is bound up in yours, for we can only be human together. - Desmond Tutu


moderated Re: Clarify Photo Album Owner Name #suggestion

Duane
 

On Thu, Feb 4, 2021 at 07:22 AM, Chris Jones wrote:
But is this actually a problem?
It really depends on the wishes of the group owner for organization.  If all photos of lamps are to be in the album "lamps", then each may be owned by a different person though the album is (probably) owned by the group owner/mod.  I have just such a situation on one of my groups and none of the photos are mine, but I'm still shown as owner of the album.  In this case, having the photo owner name on the right side, across from the photo name, in the album view would resolve it, but that could be a problem with long photo names.  Maybe under the photo name would be better.

Duane


moderated Re: Clarify Photo Album Owner Name #suggestion

Chris Jones
 

On Thu, Feb 4, 2021 at 12:21 PM, Duane wrote:
But this doesn't resolve the situation where more than one person has added photos to an album.  The album creator is shown as owner until you open a photo.
But is this actually a problem? Accepting that the owner of an album may not be the owner of any or all of the photos within it doesn't look to be a major complication. To widen the discussion slightly... do members get confused when the find that they can upload a photo into album A but not into album B, simply because that is the way the album owners have set them up? Do members get hot under the collar if they find that a Group Owner or Moderator has come along and deleted some material (including complete albums) or moved photos between albums in a rationalisation exercise?

To me there is a risk of going round looking for problems that don't really exist.

Chris


moderated Re: Changing email address security issue #misc

Jeremy H
 

As I mentioned in another thread, the Groups.io ecosystem is formed of three groups of stakeholders: "Service provider (Groups.io, Inc, i.e. Mark)", "Group Owners" and "Group Members" - each of whom has a relationship with both of the others. In particular, Group Members do have a direct relationship with Groups.io. Inc, separate from whatever relationship they have with Group Owners. And it is because of their realationship with Group.io Inc, that they can be members of groups.

From this it follows, that Group Owners should only be able a Member's settings that are, specifically, part of their membership of that owner's group.

And that any Member Settings that apply to no specific group, or multiple groups, should only be able to be changed by the member, or (if really necessary) by Groups.io support.

As a user's (Group Member's) e-mail address is used to logon to Groups.io, and for all messages from all their groups, it follows that only they, or Groups.io support, should be able to change it. (If they had a separate e-mail-address-for-posts-from-this-group, than that group's owner should be able to change that - but (AIUI) that's not how Group.io works)

The one area where this might not apply is for Enterprise groups, which - possibly - can have a different set of relationships, with a group owner, potentiall,y having the ability to prevent their members joining other groups.

Jeremy


moderated Re: Clarify Photo Album Owner Name #suggestion

Duane
 

On Wed, Feb 3, 2021 at 05:08 PM, Mark Fletcher wrote:
I've removed the album owner from the /photos page and instead it's now displayed when you view a specific album
But this doesn't resolve the situation where more than one person has added photos to an album.  The album creator is shown as owner until you open a photo.

Duane


moderated Re: Changing email address security issue #misc

Robert Oshel
 

Wouldn't having the system send an email sent to the original address (the one being changed) requiring a confirmation that the change to the new address is legitimate before the change goes into effect solve the problem?   The would-be hijacking moderator or owner wouldn't have any control over the original address, so he or she couldn't send a confirmation that the change is legitimate and the change wouldn't take effect.

   Bob


On Wed, Feb 3, 2021 at 8:01 PM Bruce Bowman <bruce.bowman@...> wrote:
On Wed, Feb 3, 2021 at 07:29 PM, J_Catlady wrote:
If they have your email address (assuming it’s really one of their own) they can request a login link and set one up. Right?
Correct.

Currently, a Premium group Owner can change any group member's address, log out, and subsequently request a login link to that address. That being so, anyone with $20 in their pocket and a few extra email addresses can set up a Premium group for a month and shanghai the accounts of everyone who joins it.

Restricting the vulnerability to such malfeasance to those who are neither Moderators nor Owners seems quite inadequate.

Regards,
Bruce


moderated Re: Changing email address security issue #misc

Sandi D <sandi.asgtechie@...>
 

On Wed, Feb 3, 2021 at 01:43 PM, Dave Sergeant wrote:
Nobody but the member himself should be able to change email addresses.
I would agree. Email addresses should be under the control of the person they belong to and not a third party.
 
--
Sandi Dickenson


moderated Re: Changing email address security issue #misc

Andy Wedge
 

On Thu, Feb 4, 2021 at 08:09 AM, D R Stinson wrote:
So you can see, a person belonging to a single group is more likely to be the exception than the rule.
The 1000+ members in my group had never heard of Groups.io until we switched to using it. There is one member that I know of who has membership to another group but that's it. So the other 999+ are hardly the exception.

Andy


moderated Re: Clarify Photo Album Owner Name #suggestion

Chris Jones
 

On Wed, Feb 3, 2021 at 11:08 PM, Mark Fletcher wrote:
I've removed the album owner from the /photos page and instead it's now displayed when you view a specific album, on top of the cover graphic.
 
Excellent idea! However, the owner's name appears in "underlying link blue" which makes it very difficult to read.

Chris .


moderated Re: Changing email address security issue #misc

 

Shal,

Yes, coffee time for me. Realized immediately after.

However, the whole thing still feels wrong to me. One issue is that it’s asymmetrical. New member joins a lone group, asks mod to change their email address, mod says sure, no problem. Time goes by and they join another group, decide to change their email address again, and this time mod says sorry can’t do that, you’re now in more than one group. User scratches head in confusion.

Or, mod sees the “change email” panel in the member page for only a subset of their members, wonders why it’s gone (or grayed out) in the others. At minimum this will require a lot of education of mods.

I feel there are other scenarios that we can’t imagine yet.

On Feb 3, 2021, at 11:54 PM, Shal Farley <shals2nd@gmail.com> wrote:

J,

Nothing until they start joining other groups.
Coffee time (for you or for me*)?.

If the member joins another group before the baddie acts, then the mitigation prevents the nefarious act.

If the baddie acts first it is the baddie's own address joining those other groups. The baddie could have done that w/o stealing a subscription to his/her own group.

Looked at another way, if the victim has no other subscriptions, then the baddie's address change ploy is no different than removing the victim from baddie's group and subscribing the baddie's alternate address to that group.

There may be one slight thing to gain. It allows the baddie to be seen as the poster of the victim's content in baddie's group. But then again the baddie could remove and repost the victim's content, so it is a really meager advantage.

Shal
*Actually, nearly bed time for me. So water, not coffee.




--
J

Messages are the sole opinion of the author, especially the fishy ones.
My humanity is bound up in yours, for we can only be human together. - Desmond Tutu


moderated Re: Changing email address security issue #misc

 

Dano,

So you can see, a person belonging to a single group is more likely to
be the exception than the rule.
I have no evidence, but I think it may be your experience that is the exception. ¯\_(ツ)_/¯

In any case, a modification could be that the member may not have subscriptions to any groups that you (the mod/owner taking the action) do not also own/moderate.

In the baddie scenario that would again limit the effect to groups under the baddie's control. That is, subscriptions the baddie already could remove and groups the baddie could already join.

Those are the people that seem to need the most assistance today. They
joined back when joining was simpler ...
Has that changed in some way?

... and they may have had a spouse to help them. They're older now,
and many have trouble doing much more than replying to posts.
That seems more plausible.

Shal


moderated Re: Changing email address security issue #misc

 

Shal notes:
The mitigation of allowing changes only to members having no
other subscriptions resolves the baddie scenario - there's
nothing to be gained by "stealing" a member's subscription
this way.
Shal - I think being able to help members with only a single group is a pretty rare situation. I own two premium groups, focused on a particular railroad's history and operations, that are essentially parallel groups. They have both existed for many years and discuss the same subjects and the same histories. They were originally created as separate groups by different owners who didn't see eye-to-eye about how to run groups. Over a number of years on Y!, ownership of both groups eventually passed on to me and I maintained them as they were. When I transferred them to groups.io, I kept them as parallel premium groups to keep the traffic as people were used to and to be able to assist the old-timers.

I also moderate two other groups with a similar story, except that they were both spinoff groups and the primary group died. And because the railroads ran in the same area as the first two groups I mentioned, there is a lot of crossover between all those groups, and many other related lines.

Those are the people that seem to need the most assistance today. They joined back when joining was simpler and they may have had a spouse to help them. They're older now, and many have trouble doing much more than replying to posts. But many of them with blue collar backgrounds have an irreplaceable knowledge and eye-witness memories of the actual history we discuss. To lose them can be a huge loss.

Another premium group I have is the successor of a group that was also a parallel group to another group that moved here. I took that group Premium specifically because I was concerned that I might need the additional abilities available to a premium moderator.

So you can see, a person belonging to a single group is more likely to be the exception than the rule.

My suggestion would be to look at the security measures taken by credit card companies who face the same thing every day, but with much higher stakes.

Dano

--
This email has been checked for viruses by AVG.
https://www.avg.com


moderated Re: Changing email address security issue #misc

 

J,

Nothing until they start joining other groups.
Coffee time (for you or for me*)?.

If the member joins another group before the baddie acts, then the mitigation prevents the nefarious act.

If the baddie acts first it is the baddie's own address joining those other groups. The baddie could have done that w/o stealing a subscription to his/her own group.

Looked at another way, if the victim has no other subscriptions, then the baddie's address change ploy is no different than removing the victim from baddie's group and subscribing the baddie's alternate address to that group.

There may be one slight thing to gain. It allows the baddie to be seen as the poster of the victim's content in baddie's group. But then again the baddie could remove and repost the victim's content, so it is a really meager advantage.

Shal
*Actually, nearly bed time for me. So water, not coffee.


moderated Re: Changing email address security issue #misc

 

On Wed, Feb 3, 2021 at 11:23 PM, Shal Farley wrote:
The mitigation of allowing changes only to members having no other subscriptions resolves the baddie scenario - there's nothing to be gained by "stealing" a member's subscription this way.
Nothing until they start joining other groups.
 
--
J

Messages are the sole opinion of the author, especially the fishy ones.
My humanity is bound up in yours, for we can only be human together. - Desmond Tutu

1001 - 1020 of 29103