Date   

moderated Re: Changing email address security issue #misc

 

Shal notes:
The mitigation of allowing changes only to members having no
other subscriptions resolves the baddie scenario - there's
nothing to be gained by "stealing" a member's subscription
this way.
Shal - I think being able to help members with only a single group is a pretty rare situation. I own two premium groups, focused on a particular railroad's history and operations, that are essentially parallel groups. They have both existed for many years and discuss the same subjects and the same histories. They were originally created as separate groups by different owners who didn't see eye-to-eye about how to run groups. Over a number of years on Y!, ownership of both groups eventually passed on to me and I maintained them as they were. When I transferred them to groups.io, I kept them as parallel premium groups to keep the traffic as people were used to and to be able to assist the old-timers.

I also moderate two other groups with a similar story, except that they were both spinoff groups and the primary group died. And because the railroads ran in the same area as the first two groups I mentioned, there is a lot of crossover between all those groups, and many other related lines.

Those are the people that seem to need the most assistance today. They joined back when joining was simpler and they may have had a spouse to help them. They're older now, and many have trouble doing much more than replying to posts. But many of them with blue collar backgrounds have an irreplaceable knowledge and eye-witness memories of the actual history we discuss. To lose them can be a huge loss.

Another premium group I have is the successor of a group that was also a parallel group to another group that moved here. I took that group Premium specifically because I was concerned that I might need the additional abilities available to a premium moderator.

So you can see, a person belonging to a single group is more likely to be the exception than the rule.

My suggestion would be to look at the security measures taken by credit card companies who face the same thing every day, but with much higher stakes.

Dano

--
This email has been checked for viruses by AVG.
https://www.avg.com


moderated Re: Changing email address security issue #misc

 

J,

Nothing until they start joining other groups.
Coffee time (for you or for me*)?.

If the member joins another group before the baddie acts, then the mitigation prevents the nefarious act.

If the baddie acts first it is the baddie's own address joining those other groups. The baddie could have done that w/o stealing a subscription to his/her own group.

Looked at another way, if the victim has no other subscriptions, then the baddie's address change ploy is no different than removing the victim from baddie's group and subscribing the baddie's alternate address to that group.

There may be one slight thing to gain. It allows the baddie to be seen as the poster of the victim's content in baddie's group. But then again the baddie could remove and repost the victim's content, so it is a really meager advantage.

Shal
*Actually, nearly bed time for me. So water, not coffee.


moderated Re: Changing email address security issue #misc

 

On Wed, Feb 3, 2021 at 11:23 PM, Shal Farley wrote:
The mitigation of allowing changes only to members having no other subscriptions resolves the baddie scenario - there's nothing to be gained by "stealing" a member's subscription this way.
Nothing until they start joining other groups.
 
--
J

Messages are the sole opinion of the author, especially the fishy ones.
My humanity is bound up in yours, for we can only be human together. - Desmond Tutu


moderated Re: Changing email address security issue #misc

 

On Wed, Feb 3, 2021 at 10:52 PM, Dave Sergeant wrote:
There is no way for anyone, including me, to ever get your Groups.io
password.
'No way ever' is true until it is proven not to be.
When I said that an unscrupulous owner who changes a member's email address to one of their own "also has their password," I meant that they essentially have it by virtue of being immediately able to set or change it via the login link. The email address *is* the account, in a sense. Besides uniquely identifying the account to groups.io, anyone who controls the email address also controls the account.
 
--
J

Messages are the sole opinion of the author, especially the fishy ones.
My humanity is bound up in yours, for we can only be human together. - Desmond Tutu


moderated Re: Changing email address security issue #misc

 

Christos,

... and the verification part process is initiated: A confirmation
email is sent to both addresses (so the user can complete the
process from either the old or new mailboxes), ...
The catch-22 is that in the baddie scenario the baddie controls the new mailbox. So allowing the baddie to confirm their own misdeed adds no security.

On the other hand, in the use-case scenario, the victim may no longer be in control of their old email address, or may not receive messages from Groups.io reliably; either of which may be why they want to change. So confirmation only from the old address may be impractical.

The mitigation of allowing changes only to members having no other subscriptions resolves the baddie scenario - there's nothing to be gained by "stealing" a member's subscription this way.

Shal


moderated Re: Changing email address security issue #misc

Dave Sergeant
 

On 3 Feb 2021 at 16:02, Mark Fletcher wrote:

There is no way for anyone, including me, to ever get your Groups.io
password.
'No way ever' is true until it is proven not to be.

https://grahamcluley.com/poor-password-security-mensa/

I was one of two people mentioned there who had their personal details
exposed in their member's forum. My password, partially obliterated by
the hacker but sufficient of it shown that it was clear he knew the
lot, had been obtained from their database by methods not yet known,
possibly a brute force attack. The other person had that password used
to log into his GMail account that sadly used the same one.

Hopefully Groups.io security is a lot better than the inadequate one
now exposed at Mensa, but it shows that 'never happens' certainly
sometimes does.

Dave

http://davesergeant.com


moderated Re: Changing email address security issue #misc

 

Pete,

I agree with J - I just don't think the risk outweighs the benefit to
the users. Maybe I'm missing some key point about the value of this
capability?
As others have discussed, I think the primary use case for the feature is assistance to group members who are having trouble maintaining their subscription.

That's why I suggested limiting it to members who have no other subscriptions - they are the most likely to be brought to Groups.io by that group, quite likely email only, and possibly naive about how it all works. There will be exceptions, but my theory is that most people with more than one subscription will be a step or two up in terms of using Groups.io's account features.

I think also that trying to improve the security of the feature by sending a notice or confirmation request to the /old/ address is particularly likely to fail - the member in need may not have access to that Inbox any more, or it may be at one of those services most apt to reject or quarantine messages from Groups.io.

Shal


moderated Re: Changing email address security issue #misc

 

On Wed, Feb 3, 2021 at 05:01 PM, Bruce Bowman wrote:
Restricting the vulnerability to such malfeasance to those who are neither Moderators nor Owners seems quite inadequate.
I agree. Palpably inadequate!
 https://www.youtube.com/watch?v=9E1bOYLuxUw

--
J

Messages are the sole opinion of the author, especially the fishy ones.
My humanity is bound up in yours, for we can only be human together. - Desmond Tutu


moderated Re: Changing email address security issue #misc

 


>>>
Instead of continuing to support a major security breach, groups.io could simply streamline and clarify the process for users who want to change their email addresses. It is not rocket science, after all, or shouldn't be, even for unsophisticated users.
<<<

This is a very good point:  If we are going to spend the effort to fix the mod email-addy-change process (as best as possible), to make it secure (as much as possible), by involving the member in the process, might as well just rip the feature out and redirect that effort to making the user email-addy-change process the same best+secure as possible, plus as easy as possible.

It does seem like a win-win.

Cheers,
Christos


moderated Re: Changing email address security issue #misc

 

On Wed, Feb 3, 2021 at 12:50 PM, D R Stinson wrote:
I explained how he can change his email address, but it didn't work for him. We have been unable to ascertain why. I should add that he wants to change his email for all his groups.io memberships, as his old email is going away. 
 
At this point I don't know what the problem is.
It may be that the problem lies in the wording on the Change Email page. Once you click on it, you're told "are you sure you want to change  your email address - you must reconfirm your account" but does not say what "reconfirm your account" means. Nothing at all about checking email for a confirmation message, etc. And we know those confirmation messages often go into outer space anyway (or used to). Instead of continuing to support a major security breach, groups.io could simply streamline and clarify the process for users who want to change their email addresses. It is not rocket science, after all, or shouldn't be, even for unsophisticated users.
 
--
J

Messages are the sole opinion of the author, especially the fishy ones.
My humanity is bound up in yours, for we can only be human together. - Desmond Tutu


moderated Re: Changing email address security issue #misc

 

I'm with the others, just the pure technical concept itself of being able to freely and easily change someone else's email address is inherently risky; so from that perspective, even if I see value in being able to do it (I've grudgingly used it a few times), if it was to be taken away (from Premium at least if Ent complains) it wouldn't cause me to lose my beauty nap.

But if it has to stay, hardening it is about the only thing that can be done; Shal suggested it, make it as hard as possible rules-wise so at least it should deter as much of misuse/abuse as possible, and also involve the user in the process, but I don't know if it's worth it, it could mean quite some work for Mark. (aren't you glad you asked? lol)

>>> It may be worth delving into those details if it heads us in the direction of making it possible for the member to split their account, and/or move subscriptions between accounts (having somehow authenticated ownership of both).

 

- When the admin changes someone's password and clicks on Save [or alternatively no more textbox-editing but have a button next to it so we're entering the new addy in a new dialog], no address-change process is actually initiated, but first we check to see if there's a "pending change request for that member" (so to prevent competing/conflicting requests), and if yes, abort and notify.

- If no pending request, an dialog asks now whether this change is for this group-only or system-wide.  (it would also state among other info that emails would be sent to both addresses that can serve as a deterrent to the casual misuser/abuser)

- After they select either option and click OK, this task now goes to "pending change request for that member" status and the verification part process is initiated: A confirmation email is sent to both*** addresses (so the user can complete the process from either the old or new mailboxes***), containing the link, plus maybe informational+auditing/tracing info, enough info so if that email was forwarded to support or even beta/GMF, it would tell us all that's needed to get to the bottom of this.

- That link will be the trigger to kick-start the actual split-into-new-account or just change-addy process.  "Same thing" as if the user logged-in online and did the change themselves except it's a one-clicker done through email instead, for least user trouble.

- That link/token would auto-expire after <some amount to be determined>, so this way if this was a mistake like a typo***, it will auto-expire and nothing changes. (this last auto-expire bit could also prevent typos in the main account change process if implemented there as well :)

- Obviously plenty of auditing info would also be logged in the group's log.

 

(*** send the email to the new address first, and only if it doesn't bounce then send the copy to the old address, to prevent the user from clicking the link from the old mailbox email and unwittingly confirm his change to an invalid address.  Also, if the new address bounces, just abort and reset everything back, and notify both the mod and the user at the old address)

 

This may well be quite some work to implement, I have no idea, but with the exception of someone getting hold of a member's old address mailbox, I think it should catch everything else because the previous owner always gets notified (one way or another) and also always has to be involved in making it complete.  The owner/mod just facilitates it and makes it easier for them but doesn't do the actual change, and since the user does it it eliminates a large portion of the inherent security problem.

And if it was implemented, one could argue (not me this time) that the newly-introduced mod restriction could be lifted to allow an owner-only to help another group's owner/mod having account problems, we had a recent GMF thread where that was mentioned as a way to help the owner out, but she got it figured out eventually.  Or just leave it there in place, whichever.

I can't remember right now if the current mod-changed addy process sends out any emails to the old address, but a less secure but also less work compromise could be to just update the current process to do just that, let it happen as it does but also let the old address know.

Cheers,
Christos


moderated Re: Changing email address security issue #misc

 

I think removing it is getting more “votes“ here than keeping it. 


On Feb 3, 2021, at 5:15 PM, Bruce Bowman <bruce.bowman@...> wrote:

On Wed, Feb 3, 2021 at 08:07 PM, J_Catlady wrote:
And isn't the basis of the whole take-over-someone's-group scenario that Mark originally posted about based on exactly that?
Yes, it is...and will remain so, as long as the "email me a link" sign-in function exists in tandem with the "change someone else's email address."

Honestly, I've been aware of this as a potential system hack for more than a year. For obvious reasons, to this point I've been reluctant to mention it here in beta. And as I previously stated, I knew that the notion of removing this feature wouldn't be a very popular one among group Owners.

But the cat's out of the bag now (no pun intended), so let's make sure we get this right.

Regards,
Bruce
Bruce

--
J

Messages are the sole opinion of the author, especially the fishy ones.
My humanity is bound up in yours, for we can only be human together. - Desmond Tutu


moderated Re: Changing email address security issue #misc

 

My opinion: someone not part of the groups.io support team should not be able to change a member's email address, even if that member is only a member of that one group, and even if it's a premium group (unless you have some contractual obligation).

A group owner could be fooled by someone pretending to be the user in question, tricking them into locking out the real user.

There are workarounds.

1. Walk the user through changing their own email, if that works out.
2. Remove the old email from the group, and direct add the new email. (If this was a mistake, it can be easily fixed.) The account with the new email won't be able to do things like delete messages posted by the old email, but someone who can't figure out how to change their own email address probably won't be doing that, anyway.
3. Contact groups.io support. This can also be used for situations like "There are 500 users in my group from abc.com who need to have their domain changed to def.com following a corporate takeover."

Thanks,
JohnF


moderated Re: Changing email address security issue #misc

Bruce Bowman
 

On Wed, Feb 3, 2021 at 08:07 PM, J_Catlady wrote:
And isn't the basis of the whole take-over-someone's-group scenario that Mark originally posted about based on exactly that?
Yes, it is...and will remain so, as long as the "email me a link" sign-in function exists in tandem with the "change someone else's email address."

Honestly, I've been aware of this as a potential system hack for more than a year. For obvious reasons, to this point I've been reluctant to mention it here in beta. And as I previously stated, I knew that the notion of removing this feature wouldn't be a very popular one among group Owners.

But the cat's out of the bag now (no pun intended), so let's make sure we get this right.

Regards,
Bruce
Bruce


moderated Re: Changing email address security issue #misc

 

On Wed, Feb 3, 2021 at 05:01 PM, Bruce Bowman wrote:

Currently, a Premium group Owner can change any group member's address, log out, and subsequently request a login link to that address.
Yes. And isn't the basis of the whole take-over-someone's-group scenario that Mark originally posted about based on exactly that? Or I'm missing something here.
 
--
J

Messages are the sole opinion of the author, especially the fishy ones.
My humanity is bound up in yours, for we can only be human together. - Desmond Tutu


moderated Re: Changing email address security issue #misc

 

On Wed, Feb 3, 2021 at 04:38 PM, D R Stinson wrote:
Additionally, only *premium* group owners have the ability to change email addresses.
Good point! So only premium group owners can hack people's accounts. ;)
 
--
J

Messages are the sole opinion of the author, especially the fishy ones.
My humanity is bound up in yours, for we can only be human together. - Desmond Tutu


moderated Re: Changing email address security issue #misc

Bruce Bowman
 

On Wed, Feb 3, 2021 at 07:29 PM, J_Catlady wrote:
If they have your email address (assuming it’s really one of their own) they can request a login link and set one up. Right?
Correct.

Currently, a Premium group Owner can change any group member's address, log out, and subsequently request a login link to that address. That being so, anyone with $20 in their pocket and a few extra email addresses can set up a Premium group for a month and shanghai the accounts of everyone who joins it.

Restricting the vulnerability to such malfeasance to those who are neither Moderators nor Owners seems quite inadequate.

Regards,
Bruce


moderated Re: Changing email address security issue #misc

 

On Wed, Feb 3, 2021 at 3:46 PM J_Catlady <j.olivia.catlady@gmail.com> wrote:
Imagine some unsuspecting new member. They join groups.io and they (akin to the scenario in Mark’s original post here) run into some bad-actor group owner, having no idea that ANY group owner, of ANY group theg join, csn actually change their email address, which comprises the basis of their entire groups.io account and is the one piece of data that uniquely identifies them to the system. Of course that means, in the bad actor scenario, that group owner also has their login password.
There is no way for anyone, including me, to ever get your Groups.io password.

Mark

Additionally, only *premium* group owners have the ability to change email addresses. Ordinary group owners have never had that ability.

Dano

--
This email has been checked for viruses by AVG.
https://www.avg.com


moderated Re: Changing email address security issue #misc

 

If they have your email address (assuming it’s really one of their own)they can request a login link and set one up. Right?


On Feb 3, 2021, at 4:03 PM, Mark Fletcher <markf@corp.groups.io> wrote:


On Wed, Feb 3, 2021 at 3:46 PM J_Catlady <j.olivia.catlady@...> wrote:
Imagine some unsuspecting new member. They join groups.io and they (akin to the scenario in Mark’s original post here) run into some bad-actor group owner, having no idea that ANY group owner, of ANY group theg join, csn actually change their email address, which comprises the basis of their entire groups.io account and is the one piece of data that uniquely identifies them to the system. Of course that means, in the bad actor scenario, that group owner also has their login password.

There is no way for anyone, including me, to ever get your Groups.io password. 


Mark 

--
J

Messages are the sole opinion of the author, especially the fishy ones.
My humanity is bound up in yours, for we can only be human together. - Desmond Tutu


moderated Re: Changing email address security issue #misc

 

On Wed, Feb 3, 2021 at 3:46 PM J_Catlady <j.olivia.catlady@...> wrote:
Imagine some unsuspecting new member. They join groups.io and they (akin to the scenario in Mark’s original post here) run into some bad-actor group owner, having no idea that ANY group owner, of ANY group theg join, csn actually change their email address, which comprises the basis of their entire groups.io account and is the one piece of data that uniquely identifies them to the system. Of course that means, in the bad actor scenario, that group owner also has their login password.

There is no way for anyone, including me, to ever get your Groups.io password. 


Mark 

1581 - 1600 of 29666