Friday, August 21, 2020

Disposable email address can exploit your website.

Introduction


Hosting website demands to solve a lot of security concerns. If the website does not implement HTTPS it's almost garbage, or more, harms the client's security.


Recently I looked for some email provider such as Gmail, but which does respect the entire privacy of its users. Mostly email providers requires you the phone number, or any private information, and it should gain your local IP address. (though dynamic IP address can avoid this concern but still we are not 100% safe).


Then there is Guerrilla mail. With this email address you can enjoy your anonimity, such as, send some complaint or message to your local government or celebrities or anyone you want to say something but you don't want disclose your privacy. 


Some stupid people acclaims that they have nothing to hide so they don't worry about any disclosure of their info hosted on SNS or something, then okay then anyone can steal your credit card info or address to dump a garbage in front of your house. Privacy is the top priority.


Some blind people say that guys who blames/attacks celebrity without his real name is doing it because he knows he's inferior to the guy he's attacking, but in that case the guy who says this does not know (or does not want to know) the reality. Being unknown is POWER. If you are unknown, you can be mostly superior to the target since the consequences of what he says does not feed back to himself because he is anonymous. So the maxim is actually not real, or it is what he want to believe, not what it is.


Guerrilla mail serves random email address such as [******@sharklasers.com] and it changes per each 60 seconds. Since it doesn't require any private info (such as phone number, name, etc) such that combined with (if you are paranoid) Tor browser (appropriately configured+VPN), you can enjoy almost perfet anonymity.


Issue for web application provider


On the other hand, these disposable email address is risky and troublesome to the web application developers because it can cause some tangible threats because of its anonimity:


1. adversaries can register an account for the web service with disposable email address then play around with it, and if he find out any vulnerability (zero-day thing) it's gonna be exploited without leaving any trace because it is disposable and he is completely anonymous. You watch your system and (in worst case) your customer's data is going to be compromised without you or your coutry's government do not have any clue who on earth did it. (if the email address is created in specific domain such as Gmail, all we need to do is to ask your local police to demand Google to detect detail info of the guy who created that account.


2. if public API endpoint is provided, adversaries can brute-force the web app with millions of access at the same time, and create billions of companies and crush the database and bandwidth. Of course, the jwk Outh thing does not work because adversaries can exploit the website with selenium, scraping the web UI so everyting is going to be automated.


To get things worse, if your website hosts confidential data, non paranoid approach on security can harm or kill your business. I've seen many companies expelled highly skilled hackers because of their lack of communication skills and they put "sociable-ness" on top priority, then they used to be scornful on smarty-pants, who claims bunch of security risks.

If you tried to hack system or played around with some dirty jobs such as reverse engineering, you know how risky to leave something non-tech-savvy biz team don't care about. 


THAT'S WHY COINCHECK DISASTER HAPPENS


and people never learn from this lesson.


For rejecting these nasty disposable email, this is already implemented in Twitter, Amazon, and Facebook (and LinkedIn).







If your team is less interested in security stuff, so far there would be no problem. But once hackers (especially those of nation-owned hackers), your system is piece of shit waiting for people to be killed.


Think carefully.


(oh, by the way please check my song: https://keitaroimo.bandcamp.com/)

No comments:

Post a Comment