moderated Changing email address security issue #misc


 

Dano,

So you can see, a person belonging to a single group is more likely to
be the exception than the rule.
I have no evidence, but I think it may be your experience that is the exception. ¯\_(ツ)_/¯

In any case, a modification could be that the member may not have subscriptions to any groups that you (the mod/owner taking the action) do not also own/moderate.

In the baddie scenario that would again limit the effect to groups under the baddie's control. That is, subscriptions the baddie already could remove and groups the baddie could already join.

Those are the people that seem to need the most assistance today. They
joined back when joining was simpler ...
Has that changed in some way?

... and they may have had a spouse to help them. They're older now,
and many have trouble doing much more than replying to posts.
That seems more plausible.

Shal


 

Shal,

Yes, coffee time for me. Realized immediately after.

However, the whole thing still feels wrong to me. One issue is that it’s asymmetrical. New member joins a lone group, asks mod to change their email address, mod says sure, no problem. Time goes by and they join another group, decide to change their email address again, and this time mod says sorry can’t do that, you’re now in more than one group. User scratches head in confusion.

Or, mod sees the “change email” panel in the member page for only a subset of their members, wonders why it’s gone (or grayed out) in the others. At minimum this will require a lot of education of mods.

I feel there are other scenarios that we can’t imagine yet.

On Feb 3, 2021, at 11:54 PM, Shal Farley <shals2nd@gmail.com> wrote:

J,

Nothing until they start joining other groups.
Coffee time (for you or for me*)?.

If the member joins another group before the baddie acts, then the mitigation prevents the nefarious act.

If the baddie acts first it is the baddie's own address joining those other groups. The baddie could have done that w/o stealing a subscription to his/her own group.

Looked at another way, if the victim has no other subscriptions, then the baddie's address change ploy is no different than removing the victim from baddie's group and subscribing the baddie's alternate address to that group.

There may be one slight thing to gain. It allows the baddie to be seen as the poster of the victim's content in baddie's group. But then again the baddie could remove and repost the victim's content, so it is a really meager advantage.

Shal
*Actually, nearly bed time for me. So water, not coffee.




--
J

Messages are the sole opinion of the author, especially the fishy ones.
My humanity is bound up in yours, for we can only be human together. - Desmond Tutu


Andy Wedge
 

On Thu, Feb 4, 2021 at 08:09 AM, D R Stinson wrote:
So you can see, a person belonging to a single group is more likely to be the exception than the rule.
The 1000+ members in my group had never heard of Groups.io until we switched to using it. There is one member that I know of who has membership to another group but that's it. So the other 999+ are hardly the exception.

Andy


Sandi D <sandi.asgtechie@...>
 

On Wed, Feb 3, 2021 at 01:43 PM, Dave Sergeant wrote:
Nobody but the member himself should be able to change email addresses.
I would agree. Email addresses should be under the control of the person they belong to and not a third party.
 
--
Sandi Dickenson


Robert Oshel
 

Wouldn't having the system send an email sent to the original address (the one being changed) requiring a confirmation that the change to the new address is legitimate before the change goes into effect solve the problem?   The would-be hijacking moderator or owner wouldn't have any control over the original address, so he or she couldn't send a confirmation that the change is legitimate and the change wouldn't take effect.

   Bob


On Wed, Feb 3, 2021 at 8:01 PM Bruce Bowman <bruce.bowman@...> wrote:
On Wed, Feb 3, 2021 at 07:29 PM, J_Catlady wrote:
If they have your email address (assuming it’s really one of their own) they can request a login link and set one up. Right?
Correct.

Currently, a Premium group Owner can change any group member's address, log out, and subsequently request a login link to that address. That being so, anyone with $20 in their pocket and a few extra email addresses can set up a Premium group for a month and shanghai the accounts of everyone who joins it.

Restricting the vulnerability to such malfeasance to those who are neither Moderators nor Owners seems quite inadequate.

Regards,
Bruce


Jeremy H
 

As I mentioned in another thread, the Groups.io ecosystem is formed of three groups of stakeholders: "Service provider (Groups.io, Inc, i.e. Mark)", "Group Owners" and "Group Members" - each of whom has a relationship with both of the others. In particular, Group Members do have a direct relationship with Groups.io. Inc, separate from whatever relationship they have with Group Owners. And it is because of their realationship with Group.io Inc, that they can be members of groups.

From this it follows, that Group Owners should only be able a Member's settings that are, specifically, part of their membership of that owner's group.

And that any Member Settings that apply to no specific group, or multiple groups, should only be able to be changed by the member, or (if really necessary) by Groups.io support.

As a user's (Group Member's) e-mail address is used to logon to Groups.io, and for all messages from all their groups, it follows that only they, or Groups.io support, should be able to change it. (If they had a separate e-mail-address-for-posts-from-this-group, than that group's owner should be able to change that - but (AIUI) that's not how Group.io works)

The one area where this might not apply is for Enterprise groups, which - possibly - can have a different set of relationships, with a group owner, potentiall,y having the ability to prevent their members joining other groups.

Jeremy


 

On Thu, Feb 4, 2021 at 02:04 AM, Andy Wedge wrote:
There is one member that I know of who has membership to another group but that's it.
In my group, and in many or most of the cats groups, probably between 50% and 90% of the members are in other groups.
 
--
J

Messages are the sole opinion of the author, especially the fishy ones.
My humanity is bound up in yours, for we can only be human together. - Desmond Tutu


 

On Thu, Feb 4, 2021 at 03:50 AM, Robert Oshel wrote:
Wouldn't having the system send an email sent to the original address (the one being changed) requiring a confirmation that the change to the new address is legitimate before the change goes into effect solve the problem?
I think it may (although my gut tells me that unforeseen problems could still ensue). As others in this thread have pointed out, and with which I strongly agree, requests by members for help making groups.io-wide changes to their accounts, such as their very identity (email address) in the system, should go to groups.io if the member themselves can't navigate the change, and not to an individual group owner. Just as today Mark posts about an unforeseen problem, I would bet there will be others, even with this suggested confirmation/notification, due to the entity making the change (group owner) being at the wrong level.

I think the problem is not that these users having trouble changing their email addresses are technically challenged, or too old, or however others here have described them. The problem is that the system has not made it easy enough for them to do. Why not fix that real problem instead of going through contortions to put bandaids on it?
 
--
J

Messages are the sole opinion of the author, especially the fishy ones.
My humanity is bound up in yours, for we can only be human together. - Desmond Tutu


Peter Cook
 

On Thu, Feb 4, 2021 at 09:32 AM, J_Catlady wrote:
system has not made it easy enough for them to do
I think it's VERY easy. When someone has an issue and needs to change their address, I just tell them to go to https://groups.io/account and change it. It's never been a problem.

Pete


 

On Thu, Feb 4, 2021 at 06:42 AM, Peter Cook wrote:
I think it's VERY easy. When someone has an issue and needs to change their address, I just tell them to go to https://groups.io/account and change it. It's never been a problem.
Well, for some reason, some people here are complaining that it's been too hard for their members to do, or that it hasn't worked, etc. It looks easy for sure. And it really is not rocket science. So my guess was that something has been going wrong with the "reconfirmation" part of the change, such as perhaps the confirmation email going into the stratosphere. Who knows. i don't believe anyone is making this up. People have been having problems, for some as-yet unknown reason. I also have never had a member who's had a problem with it. I think it just needs to be explained to them clearly, if not by the system itself on the page (which I think could use some clarification), then by the group owner.

--
J

Messages are the sole opinion of the author, especially the fishy ones.
My humanity is bound up in yours, for we can only be human together. - Desmond Tutu


Mark Murphy
 

I reported this issue to Mark privately because I consider it a serious security issue. I believe the potential security implications far outweigh any convenience this feature may provide even to a well-intentioned owner or moderator who wishes to help a member who no longer has access to an email address or who wishes to change their email address.

Maybe I'm missing something about the "need" for this feature. If a member wants/needs to change their email address, why can't the member just re-subscribe to their groups with the new email address? Are there common and valid use cases for owners or mod needing to change the email on behalf of the member, other than "convenience" for the member?

The problem here is that the ability for a user to change their email address is often implemented through an authentication mechanism other than email, such as providing a username and password. Since these are not required in GIO for email only members, there is no alternative authentication mechanism available.

Thank you,

Mark


Peter Cook
 

On Thu, Feb 4, 2021 at 09:54 AM, Mark Murphy wrote:
re-subscribe to their groups with the new email address
I discourage members from doing that, and my suggestion to them is easier: Just go to their account page and change it there. 

Pete


Mark Murphy
 

On Thu, Feb 4, 2021 at 09:57 AM, Peter Cook wrote:
I discourage members from doing that, and my suggestion to them is easier: Just go to their account page and change it there. 
Yes, I should have said that also. Re-subscribing might be the only way for members who are unable to log in to GIO (never logged in, can't remember password, etc.) and have lost access to their original email account.


John Pearce <jponsalt@...>
 

To add to the opinions here, I would point out that in our group people don't even ask 99% of the time to have one of us change their email address.  They just open a new groups.io account, and go through the routine to subscribe.  We are a restricted group.  They always seem to leave the old subscription in place, often because they somehow forgot their passwords or otherwise lost control of their account.  This doesn't bother us too much because we don't pay by member but I do ask about a possible old address if they tell us in the subscription response they were members before then I delete the old subscription.  We have over 1400 members.  About half are special only, we don't allow no mail so that we get bounces when yahoo disables accounts.  Our group has been in existence for over 20 years and most had been on nomail on Yahoo before we moved here.  I suspect many have died as many of our members are seniors.  I see the horrible risks involved with being able to have moderators/owners be able to change someones email address, no matter how remote.  I vote to to remove that ability all together as our group would almost never benefit from it's existence and is unnecessary when it might.

John


Peter Cook
 

On Thu, Feb 4, 2021 at 10:25 AM, Mark Murphy wrote:
Re-subscribing might be the only way for members who are unable to log
If they haven't lost access to their email, they can go to Log In > Email me a link to log in, and get in that way.


 

Mark, (the Architect one)

It does make a difference IMO, and I may have missed it in the shuffle, but I take it the feature is staying put, for now anyway, right?  Your OP implies you're not removing the capability itself. 

If yes, some info from you could help in the debate.  I see both changed-email log entries, for the times I did it myself for a member through the feature, and the times a member changed their address themselves through the main account settings.  Could you write a query to mine it from the logs of paid groups whose owner or mod has used the feature?  Just the raw data would be fine, we could analyze it for trends and such so you don't spend any more time for it. 

One row per group: Prem or Ent, number of members, "log entry instigator" is owner total, is mod total, and is-plain-member total.  Maybe add anything else you think could help with spotting trends.

Some info like this should help clear some things up, not only on usefullness of the feature, but also how to go about it fixing it, if it's staying.

It could also point out to what has been suggested and seconded; put aside the feature itself for now and instead concentrate on the real problem, the underlying address-change itself, because if that's -technically & visually- fixed in a good way, bolting onto it email-based address-change and this (now reworked) feature would be very easy.

If we can somehow provide the user a safe (as much as possible) and easy (as much as possible) cradle-to-cradle process that begins from [the login screen or special landing captcha'ed page or email link click], or if not, definitely from the account settings screen, and ends all the way back to a landing page and/or confirmation email, the real underlying problem is fixed, with the side benefit of making the process easier for the user regardless.

That could make the feature moot.  Or it can still be left as a convenience feature but relegated to just that group-address-change only (plus create new account if needed).  Since the user process itself should be easier now, group-only address-change can be feature-done by the admin (but the member would still need to confirm that for it to happen), and universal address-change can only be done by the user, sorry; that should help cut down on the risk some in the sense that it may not fully prevent the damage, if it slips by it would be limited in scope at least.

Limiting the feature to group-only would also allow the user to easily/conveniently change their subscription on only one group without touching the others and without having to leave, create a new account, and rejoin with that, the admin does it for them, a user-help AND convenience feature.  It would be like what yahoo had, can have a different address on each group, except instead of the user the admin does it for them.  Who knows, that may potentially cut down on some of the address-change issues we're having maybe users are trying to figure out how do (easily) accomplice this trick and causing themselves (and possibly others) grief.

Initiating email-based address-change can be accomplished by having a "change email address" link in the footers which would kick off the process we come up with, with safeguards in place of course since anyone can click it, just like anyone can click on "mail me a link".

Cheers,
Christos


Peter Cook
 

On Thu, Feb 4, 2021 at 12:38 PM, Peter Cook wrote:
On Thu, Feb 4, 2021 at 10:25 AM, Mark Murphy wrote:
Re-subscribing might be the only way for members who are unable to log
If they haven't lost access to their email, they can go to Log In > Email me a link to log in, and get in that way.
Whoops - I missed the "and have lost access to their original email account" in your post. Like J, need coffee.


 

Those are the people that seem to need the most assistance today.
They joined back when joining was simpler ...
Has that changed in some way?
Curiously, yes it seems to have. I'm seeing a number of people who remember how things were before, and now with groups.io's streamlining of things they don't understand how things are as simple as they are. Just changing email addresses isn't an obvious process to them. I have a number of members who just quit and rejoined instead.

... and they may have had a spouse to help them. They're older now,
and many have trouble doing much more than replying to posts.
That seems more plausible.
It's not so much age as what type of work they did all their lives. These were blue collar workers who didn't use computers in the workplace. They had computers at home, but their kids used them or their wives learned to use them. Today a number of them get by with the help of friends. I've lost a couple that just dropped off. I don't know if it was because of death, computer problems and no help, or perhaps other technical problems. I was so thankful for the simplicity of the transfers from Y! to groups.io because many of these guys never noticed. Most of them didn't start threads, but rather used 'Reply' for everything, so they never noticed. I even had a couple concerned messages when Y! groups announced they were going away. They hadn't quite connected the group moving a couple years previously. Needless to say, I leave these guys on moderation so I can intercept questions and clean up their trailing trash.

But they can tell some good stories and they remember valuable things that would otherwise be lost.

Dano

--
This email has been checked for viruses by AVG.
https://www.avg.com


 

I discourage members from doing that, and my suggestion to them is easier: Just go to their account page and change it there. >
Yes, I should have said that also. Re-subscribing might be the only way for members who are unable to log in to GIO (never logged in, can't remember password, etc.) and have lost access to their original email account.
…Which brings up once again the desire to be able to reconnect a member's old identity to the new one if we know and confirm it, so they can retain copyright ownership of their posted messages and shared photos and files.

Dano

--
This email has been checked for viruses by AVG.
https://www.avg.com


billsf9c
 

SECURITY: You can no longer change the email address of a member who is a moderator of a group. Discussion.

Yahoo lost a great list of 2000 due to this issue. 2 owners suddenly died a month apart. The 3rd and original owner was sad and would not consider a new appointment until after her planned 30 day vaction despite by adamant warnings. In a hotel her email was hacked. Somehiw she lost her ownership ability despite getting owner-mail.

A sole remaining mod did what he could but also did harm... perhaps why he was only a mod.

Now, Oremium Groups can get support help. I needed and got that once to help another list, (not mine, but was okay'd by the past owner to assume its helm.) But no lower group has recourse. Maybe "send this documentation & $20?"

Dunno - but ponder some last gasp assist, please, for the "outer limits" "twilight zone" that may and will occur.

BillSF9c