moderated Changing email address security issue #misc


 

Hi All,

Premium group owners have the ability to change the email addresses of their members. The email address is changed on the member's Groups.io account, so affects all their subscriptions. As was pointed out to me privately, this presents a security issue. If a member is an owner of another group, this feature provides the ability for a nefarious group owner to take over that other group, by changing the email address of the member to a new email address controlled by the baddie.

I have changed the feature so that you cannot change the email address of a member who is a moderator or owner of a group.

Should I make other changes? Should the change only affect that one subscription? That is, if someone is subscribed to 2 groups, and the moderator of one of those groups changes that person's email address, should I then create a new Groups.io account, splitting off that one subscription?

Thanks,
Mark


Peter Cook
 

Mark, I think I've said this in the past so I may be repeating myself.

I do not think I should have the ability to change anyone else's email address globally, if at all. I consider it just too much of a security risk. Members can do it themselves quite easily (I've provided folks with instructions a number of times). If they can't do it because they no longer have access to an email account, that's their issue to fix, not mine.

$.02,
Pete


Duane
 

On Wed, Feb 3, 2021 at 10:55 AM, Mark Fletcher wrote:
Should the change only affect that one subscription? That is, if someone is subscribed to 2 groups, and the moderator of one of those groups changes that person's email address, should I then create a new Groups.io account, splitting off that one subscription?
If you continue to allow email addresses to be changed, then I'd certainly prefer that it only effect one group.

Duane


Andy Wedge
 

On Wed, Feb 3, 2021 at 04:55 PM, Mark Fletcher wrote:

I have changed the feature so that you cannot change the email address of a member who is a moderator or owner of a group.

Is that an owner or mod of a main group only or does it include mods of subgroups which may be just members in a main group?

Should I make other changes? Should the change only affect that one subscription? That is, if someone is subscribed to 2 groups, and the moderator of one of those groups changes that person's email address, should I then create a new Groups.io account, splitting off that one subscription?

Along with the power to change someone's email address come the responsibility to use it wisely. I always get confirmation from the member in question that they understand that a change to their account address impacts all groups they are subscribed to.  Unless I get that confirmation, I don't make the change.  It can be lot less time and effort being able to make the change on behalf of someone than it is to recover the situation after their failed attempts.  It accounts are split based upon subscription I think that will generate confusion for some older members who will login with the wrong account for the group they want to interact with and wonder why they cannot access it.  Those are frequent questions on GMF.

Regards
Andy


Bruce Bowman
 

On Wed, Feb 3, 2021 at 11:55 AM, Mark Fletcher wrote:

I have changed the feature so that you cannot change the email address of a member who is a moderator or owner of a group.

Mark -- Thanks. This has bothered me for awhile now.

Should I make other changes? Should the change only affect that one subscription? That is, if someone is subscribed to 2 groups, and the moderator of one of those groups changes that person's email address, should I then create a new Groups.io account, splitting off that one subscription?

Correct me if I'm mistaken, but I think the most common scenario behind the existing feature is when someone simply gets a new email address, leaving the old one inactive. In such a case, the current behavior -- having the change occur account-wide -- strikes me desirable. 

If the account was to be split into two, it raises the question of how to subsequently merge them...especially if the previous address is no longer accessible. Generally, it seems to me that if an account holder is struggling to change his own address, he isn't going to be any more adept at merging them.

A third option (which probably won't be popular but I'd like to throw out for consideration) is the elimination of this feature altogether. As group Owners, we cannot edit a subscriber's profile, but we can change their login credentials? That combo has never quite added up to me. 

Regards,
Bruce


 

This is a really good observation and I think the security risk applies not just to mods of groups. Suppose I don’t like somebody in my group and I want access to all their subscriptions to do bad things. All I’d have to go is change the email address of their whole account.

I’ve always felt queasy about the ability of a group owner to change the account address of anyone at all. That piece of data belongs at a higher level than the individual group. 

As a member of several premium groups, I’m wondering now whether group owners might do this to me. Prior to this I’d only thought about it as a group owner. I’d push for eliminating this ability entirely.


On Feb 3, 2021, at 8:55 AM, Mark Fletcher <markf@corp.groups.io> wrote:



Hi All,

Premium group owners have the ability to change the email addresses of their members. The email address is changed on the member's Groups.io account, so affects all their subscriptions. As was pointed out to me privately, this presents a security issue. If a member is an owner of another group, this feature provides the ability for a nefarious group owner to take over that other group, by changing the email address of the member to a new email address controlled by the baddie.

I have changed the feature so that you cannot change the email address of a member who is a moderator or owner of a group.

Should I make other changes? Should the change only affect that one subscription? That is, if someone is subscribed to 2 groups, and the moderator of one of those groups changes that person's email address, should I then create a new Groups.io account, splitting off that one subscription?

Thanks,
Mark


--
J

Messages are the sole opinion of the author, especially the fishy ones.
My humanity is bound up in yours, for we can only be human together. - Desmond Tutu


 

Actually since your fix, they can’t do it to me. So I csn see this leading to people artificially making themselves group owners in order to benefit from the enhanced security protection .   


On Feb 3, 2021, at 10:22 AM, J_Catlady via groups.io <j.olivia.catlady@...> wrote:

This is a really good observation and I think the security risk applies not just to mods of groups. Suppose I don’t like somebody in my group and I want access to all their subscriptions to do bad things. All I’d have to go is change the email address of their whole account.

I’ve always felt queasy about the ability of a group owner to change the account address of anyone at all. That piece of data belongs at a higher level than the individual group. 

As a member of several premium groups, I’m wondering now whether group owners might do this to me. Prior to this I’d only thought about it as a group owner. I’d push for eliminating this ability entirely.


On Feb 3, 2021, at 8:55 AM, Mark Fletcher <markf@corp.groups.io> wrote:



Hi All,

Premium group owners have the ability to change the email addresses of their members. The email address is changed on the member's Groups.io account, so affects all their subscriptions. As was pointed out to me privately, this presents a security issue. If a member is an owner of another group, this feature provides the ability for a nefarious group owner to take over that other group, by changing the email address of the member to a new email address controlled by the baddie.

I have changed the feature so that you cannot change the email address of a member who is a moderator or owner of a group.

Should I make other changes? Should the change only affect that one subscription? That is, if someone is subscribed to 2 groups, and the moderator of one of those groups changes that person's email address, should I then create a new Groups.io account, splitting off that one subscription?

Thanks,
Mark


--
J

Messages are the sole opinion of the author, especially the fishy ones.
My humanity is bound up in yours, for we can only be human together. - Desmond Tutu


--
J

Messages are the sole opinion of the author, especially the fishy ones.
My humanity is bound up in yours, for we can only be human together. - Desmond Tutu


 

Mark,


Should I make other changes? Should the change only affect that one subscription? That is, if someone is subscribed to 2 groups, and the moderator of one of those groups changes that person's email address, should I then create a new Groups.io account, splitting off that one subscription?

I would disable the ability to change the address if the member is even a member of any other groups. That's because the other groups may have sensitive information in their content to which the baddie should not gain access.

Or, make it apply to this group only. But that will be fraught with details when the new address is already an account or an alias of an account. It may be worth delving into those details if it heads us in the direction of making it possible for the member to split their account, and/or move subscriptions between accounts (having somehow authenticated ownership of both).

Shal


Peter Cook
 

On Wed, Feb 3, 2021 at 01:22 PM, J_Catlady wrote:
Suppose I don’t like somebody in my group and I want access to all their subscriptions to do bad things. All I’d have to go is change the email address of their whole account.
I agree with J - I just don't think the risk outweighs the benefit to the users. Maybe I'm missing some key point about the value of this capability?

Pete


 

I agree that Shal’s idea takes us in the right direction. But still not far enough. I’d get rid of it entirely.


On Feb 3, 2021, at 10:29 AM, Shal Farley <shals2nd@...> wrote:


Mark,


Should I make other changes? Should the change only affect that one subscription? That is, if someone is subscribed to 2 groups, and the moderator of one of those groups changes that person's email address, should I then create a new Groups.io account, splitting off that one subscription?

I would disable the ability to change the address if the member is even a member of any other groups. That's because the other groups may have sensitive information in their content to which the baddie should not gain access.

Or, make it apply to this group only. But that will be fraught with details when the new address is already an account or an alias of an account. It may be worth delving into those details if it heads us in the direction of making it possible for the member to split their account, and/or move subscriptions between accounts (having somehow authenticated ownership of both).

Shal

--
J

Messages are the sole opinion of the author, especially the fishy ones.
My humanity is bound up in yours, for we can only be human together. - Desmond Tutu


 

Exactly, what Peter says. it’s risk vs benefit. Huge risk, negligible benefit. Not to mention: the opportunity cost of implementing more worthwhile things.


On Feb 3, 2021, at 10:32 AM, Peter Cook <peterscottcook@...> wrote:

On Wed, Feb 3, 2021 at 01:22 PM, J_Catlady wrote:
Suppose I don’t like somebody in my group and I want access to all their subscriptions to do bad things. All I’d have to go is change the email address of their whole account.
I agree with J - I just don't think the risk outweighs the benefit to the users. Maybe I'm missing some key point about the value of this capability?

Pete

--
J

Messages are the sole opinion of the author, especially the fishy ones.
My humanity is bound up in yours, for we can only be human together. - Desmond Tutu


Dave Sergeant
 

On 3 Feb 2021 at 10:35, J_Catlady wrote:

Exactly, what Peter says. it's risk vs benefit. Huge risk, negligible
benefit. Not to mention: the opportunity cost of implementing more
worthwhile things.
Having just had my personal information publicly revealed on a hacked
forum I would agree. Nobody but the member himself should be able to
change email addresses.

Dave

http://davesergeant.com


Robert Oshel
 

How about allowing a moderator to change someone's email address only for that group, and the change does not go into effect until after the person is notified by email to the old address that the moderator is attempting to change his or her email address for the group and the person clicks an "I approve" option in the mail?  I have some technologically challenged members who have asked me to change their address.

  Bob

On Wed, Feb 3, 2021 at 11:55 AM Mark Fletcher <markf@corp.groups.io> wrote:

Hi All,

Premium group owners have the ability to change the email addresses of their members. The email address is changed on the member's Groups.io account, so affects all their subscriptions. As was pointed out to me privately, this presents a security issue. If a member is an owner of another group, this feature provides the ability for a nefarious group owner to take over that other group, by changing the email address of the member to a new email address controlled by the baddie.

I have changed the feature so that you cannot change the email address of a member who is a moderator or owner of a group.

Should I make other changes? Should the change only affect that one subscription? That is, if someone is subscribed to 2 groups, and the moderator of one of those groups changes that person's email address, should I then create a new Groups.io account, splitting off that one subscription?

Thanks,
Mark


 

I would ask those members to reapply with the new email address. Or you csn simply add the new email address. If necessary, you can merge their old topics once they start posting.

There is no limit to the number of things that technically challenged members/account holders might want or ask for help with. Some things they are best learning to go on their own. You csn walk them through it. You can create your own group’s personal help wiki pages or sticky posts.

I remember being shocked when the “change member email” feature was implemented, at how much power it gave me as an owner, and at the realization that I had to treat it respectfully, and the subtle simultaneous realization that other group owners might not.

It just feels wrong.


On Feb 3, 2021, at 10:57 AM, Robert Oshel <robert.oshel@...> wrote:


How about allowing a moderator to change someone's email address only for that group, and the change does not go into effect until after the person is notified by email to the old address that the moderator is attempting to change his or her email address for the group and the person clicks an "I approve" option in the mail?  I have some technologically challenged members who have asked me to change their address.

  Bob

On Wed, Feb 3, 2021 at 11:55 AM Mark Fletcher <markf@corp.groups.io> wrote:

Hi All,

Premium group owners have the ability to change the email addresses of their members. The email address is changed on the member's Groups.io account, so affects all their subscriptions. As was pointed out to me privately, this presents a security issue. If a member is an owner of another group, this feature provides the ability for a nefarious group owner to take over that other group, by changing the email address of the member to a new email address controlled by the baddie.

I have changed the feature so that you cannot change the email address of a member who is a moderator or owner of a group.

Should I make other changes? Should the change only affect that one subscription? That is, if someone is subscribed to 2 groups, and the moderator of one of those groups changes that person's email address, should I then create a new Groups.io account, splitting off that one subscription?

Thanks,
Mark


--
J

Messages are the sole opinion of the author, especially the fishy ones.
My humanity is bound up in yours, for we can only be human together. - Desmond Tutu


 

I ran into the need for this just yesterday and have yet to actually use it. I have a member in one of my premium groups who applied for a new membership. Because I knew who the person was, I suggested he just change his email address so he stays connected with his content. I explained how he can change his email address, but it didn't work for him. We have been unable to ascertain why. I should add that he wants to change his email for all his groups.io memberships, as his old email is going away. 
 
At this point I don't know what the problem is. The group activity doesn't show me anything. And because his old account is going away, there is a certain desire on his part to do this right away. The obvious solution to me is to change his email address for him. And yet I am hesitant for all the reason to just jump to this for all the reasons we've talked about in the past.
 
If this ability goes away, it's going to add a burden to support's load. I see an obvious need for the authority. But it tends to be those operating in the right hand lane who need that assistance. I would suggest disallowing the ability to change owners' or moderators' addresses, who are more likely to be able to do that on their own anyway. But for the sake of avoiding more work for Support, leave the ability for owners to help regular members who tend to be less technology savvy.
 
I can also see a need for the ability to merge membership accounts. I have had a number of members who rejoined as a new address, leaving their old accounts orphaned. I would welcome the ability to merge their old email account into their new one to maintain content control.
 
From my viewpoint the problem is the user of the authority, not the ability. As noted above, taking away the ability to change an owner's or moderator's would avoid most on these risks. Added to this, I suggest that a moderator should not be able to change the role of owner. I see hijacking the ownership of a group to be a greater problem.
 
Dano 
 
 
J_Catlady  wrote:
> I would ask those members to reapply with the new email address. Or you csn simply add the new email address. If necessary, you can merge their old topics once they start posting.
>
 

Virus-free. www.avg.com


Andy Wedge
 

On Wed, Feb 3, 2021 at 06:35 PM, J_Catlady wrote:
Exactly, what Peter says. it’s risk vs benefit. Huge risk, negligible benefit.
If you're not comfortable or confident in using this function then just stay clear. Nobody is forcing you to use it. Some of us find it useful and use it carefully in support of members. If the account address being changed is subscribed to other groups then a warning message or prompt might be nice but I'd still want the function.

Andy


 

On Wed, Feb 3, 2021 at 12:50 PM D R Stinson <dano@...> wrote:
 
From my viewpoint the problem is the user of the authority, not the ability. As noted above, taking away the ability to change an owner's or moderator's would avoid most on these risks. Added to this, I suggest that a moderator should not be able to change the role of owner. I see hijacking the ownership of a group to be a greater problem.
 
Moderators already cannot change the Role of owners.

Thanks,
Mark


 

> Moderators already cannot change the Role of owners.

Thanks Mark. I was made aware of that after I posted. As I commented to Bruce, keeping up with beta and GMF is much more difficult since the final exodus from Y!.
 
But I stand by the rest of my thought. Please continue to provide us the tools to help regular members. That was the primary reason I took several of my groups Premium in the first place.
 
I do think Andy Wedge's idea in the previous post, to send a warning message or prompt to the owners of other groups that the member is subscribed to, is worthy of consideration.
 
Dano
 

Virus-free. www.avg.com


 

Andy,

I never said I’m not “comfortable or confident” using the feature. I don’t know where you get that. I think the feature gives groups inappropriate power over members’ groups.io accounts. 

As Bruce put it: we can’t change members’ profiles, but we can change their login info? 


On Feb 3, 2021, at 2:56 PM, Andy Wedge <andy_wedge@...> wrote:

On Wed, Feb 3, 2021 at 06:35 PM, J_Catlady wrote:
Exactly, what Peter says. it’s risk vs benefit. Huge risk, negligible benefit.
If you're not comfortable or confident in using this function then just stay clear. Nobody is forcing you to use it. Some of us find it useful and use it carefully in support of members. If the account address being changed is subscribed to other groups then a warning message or prompt might be nice but I'd still want the function.

Andy

--
J

Messages are the sole opinion of the author, especially the fishy ones.
My humanity is bound up in yours, for we can only be human together. - Desmond Tutu


 

Imagine some unsuspecting new member. They join groups.io and they (akin to the scenario in Mark’s original post here) run into some bad-actor group owner, having no idea that ANY group owner, of ANY group theg join, csn actually change their email address, which comprises the basis of their entire groups.io account and is the one piece of data that uniquely identifies them to the system. Of course that means, in the bad actor scenario, that group owner also has their login password.

No, Andy. I am entirely comfortable and confident in using grouos.io. But no, I’m not comfortable or confident with that scenario. 


On Feb 3, 2021, at 3:32 PM, J_Catlady via groups.io <j.olivia.catlady@...> wrote:

Andy,

I never said I’m not “comfortable or confident” using the feature. I don’t know where you get that. I think the feature gives groups inappropriate power over members’ groups.io accounts. 

As Bruce put it: we can’t change members’ profiles, but we can change their login info? 


On Feb 3, 2021, at 2:56 PM, Andy Wedge <andy_wedge@...> wrote:

On Wed, Feb 3, 2021 at 06:35 PM, J_Catlady wrote:
Exactly, what Peter says. it’s risk vs benefit. Huge risk, negligible benefit.
If you're not comfortable or confident in using this function then just stay clear. Nobody is forcing you to use it. Some of us find it useful and use it carefully in support of members. If the account address being changed is subscribed to other groups then a warning message or prompt might be nice but I'd still want the function.

Andy

--
J

Messages are the sole opinion of the author, especially the fishy ones.
My humanity is bound up in yours, for we can only be human together. - Desmond Tutu


--
J

Messages are the sole opinion of the author, especially the fishy ones.
My humanity is bound up in yours, for we can only be human together. - Desmond Tutu