|
anthonypants posted:why do you have three mouse cursors He doesn't know how to use the three
|
#
?
May 15, 2018 01:49
|
|
|
|
| # ? Apr 29, 2024 18:26 |
|
|
ever since i went to three cursors i feel like my productivity has at least doubled maybe more
|
|
#
?
May 15, 2018 01:52
|
|
|
the forbidden yospos technique
|
|
#
?
May 15, 2018 02:02
|
|
|
I like the creativity here: https://www.schneier.com/blog/archives/2018/04/obscure_e-mail_.html quote:This vulnerability is a result of an interaction between two different ways of handling e-mail addresses. Gmail ignores dots in addresses, so bruce.schneier@gmail.com is the same as bruceschneier@gmail.com is the same as b.r.u.c.e.schneier@gmail.com. (Note: I do not own any of those email addresses -- if they're even valid.) Netflix doesn't ignore dots, so those are all unique e-mail addresses and can each be used to register an account. This difference can be exploited.
|
|
#
?
May 15, 2018 02:08
|
|
|
if you dont validate emails before letting people sign up you deserve whatever you loving get
|
|
#
?
May 15, 2018 03:04
|
|
|
CRIP EATIN BREAD posted:if you dont validate emails before letting people sign up you deserve whatever you loving get sounds like you're trying to increase friction, a natural impediment to growth hacking. perhaps you'll be more at home in a legacy industry?
|
|
#
?
May 15, 2018 03:17
|
|
|
what I like most is trying online games that someone created an account with my email address, so i then recover password and end up with a loaded up account from the get to go
|
|
#
?
May 15, 2018 03:19
|
|
|
someone signed up to farmersonly.com with my email. also their mobile phone provider for their company. which i cancelled.
|
|
#
?
May 15, 2018 04:45
|
|
|
CRIP EATIN BREAD posted:if you dont validate emails before letting people sign up you deserve whatever you loving get Additional subscribers for less effort.
|
|
#
?
May 15, 2018 05:11
|
|
|
i have multiple people using one of my email aliases for all their work poo poo one of them did a good job working at the Commonwealth games and got invited back for next year
|
|
#
?
May 15, 2018 05:19
|
|
|
i wonder if theres groups out there who run mass schemes of registering email addresses of using the names of target politicians/business leaders/etc on all the big email services they can in the chance they catch oops if someone as dumb as me has thought of it then I assume a) yes and b) theres already been reporting on it like domain squatting but for everyone on an organizational chart or something I dunno!!
|
|
#
?
May 15, 2018 05:35
|
|
|
i was getting someone's at&t bills for a long time thanks, melissa for paying your bills in a timely fashion
|
|
#
?
May 15, 2018 06:00
|
|
|
Bulgakov posted:i wonder if theres groups out there who run mass schemes of registering email addresses of using the names of target politicians/business leaders/etc on all the big email services they can in the chance they catch oops i, bill gates, am giving away a million dollars to one lucky person!!
|
|
#
?
May 15, 2018 06:04
|
|
|
Lutha Mahtin posted:i, bill gates, am giving away a million dollars to one lucky person!! no, its the reverse kind of phishing where the marks email you sensitive material out of the blue it owns to have a name thats similar to a celebrity
|
|
#
?
May 15, 2018 08:16
|
|
|
Krankenstyle posted:no, its the reverse kind of phishing where the marks email you sensitive material out of the blue thats what I meant so thanks there is no way that backwards phishing hasn't been conspired on a nation-state level sincerely, bill warren buffet gates
|
|
#
?
May 15, 2018 08:48
|
|
|
CRIP EATIN BREAD posted:if you dont validate emails before letting people sign up you deserve whatever you loving get I nuked someone’s nook and library because it wouldn’t stop emailing me and there was no way to stop it other than assume the account
|
|
#
?
May 15, 2018 13:26
|
|
|
i always do a password reset on their poo poo in many ways, i am the poop theyre touching
|
|
#
?
May 15, 2018 14:58
|
|
|
James Baud posted:Arguably dead man switch if we put stock in the links between Paul Le Roux and Truecrypt: Article is a pro-click; I'd recommend starting from part 1, and set aside an hour or so!
|
|
#
?
May 15, 2018 16:26
|
|
|
Krankenstyle posted:i always do a password reset on their poo poo the worst is when people give out your email to sign up for things like mailing lists for their kids little league hockey teams. because even if you get yourself removed everyone is still doing a "reply all" on an old thread and nobody really pays attention to your pleas to get off the list. after over 2 full seasons of that siht I offered photography services for their children in my pimped out astro van with no windows, free of charge, and the head of the league threatened to call the police.
|
|
#
?
May 15, 2018 19:09
|
|
|
CRIP EATIN BREAD posted:the worst is when people give out your email to sign up for things like mailing lists for their kids little league hockey teams. getting on the sex offenders registry to own da libs
|
|
#
?
May 15, 2018 19:16
|
|
|
lmao
|
|
#
?
May 15, 2018 19:17
|
|
|
Salt Fish posted:I like the creativity here: its entirely google's fault. like not even a question.
|
|
#
?
May 15, 2018 19:43
|
|
|
Shaggar posted:its entirely google's fault. like not even a question. iunno, i place a little bit of blame on netflix for allowing someone to modify account details without verifying email or password at all.
|
|
#
?
May 15, 2018 19:52
|
|
|
Salt Fish posted:I like the creativity here:
|
|
#
?
May 15, 2018 19:53
|
|
|
sleepwalkers posted:iunno, i place a little bit of blame on netflix for allowing someone to modify account details without verifying email or password at all. not so much account details as creation. if jameshfisher had to approve the jamesh.fisher account this trick wouldn't work (unless he clicks on it by reflex just like with the cc renewal) once the account is created email verification wouldn't help because both emails route to the same gmail account and jameshfisher believes he is configuring his own account although now that I am rereading it I am confused how it gets from email link to account config page without asking for credentials on the way. if netflix is emailing out pre-authenticated links that's also bad haveblue fucked around with this message at 20:17 on May 15, 2018 |
|
#
?
May 15, 2018 20:12
|
|
|
Mailing out magic links isn’t a big deal if you’re going to give that same email address the ability to do password resets anyway.
|
|
#
?
May 15, 2018 20:39
|
|
|
is the "dots" feature even allowed under the relevant standards? in before somebody posts that regex from the RFC
|
|
#
?
May 15, 2018 20:49
|
|
|
Lutha Mahtin posted:is the "dots" feature even allowed under the relevant standards? in before somebody posts that regex from the RFC i don't think theres an rfc about how you redirect emails like you can use about 5 different permutations of my name and initials to get an email to my inbox at work
|
|
#
?
May 15, 2018 20:51
|
|
|
Someone should tell that guy about how google handles plus symbols in email addresses.
|
|
#
?
May 15, 2018 21:07
|
|
|
the post that Schneier references talks about plus addresses. spoiler alert he's not a fan of those either
|
|
#
?
May 15, 2018 21:14
|
|
|
I can see people not caring too much about the dot feature since it's presumably just there to catch mistyped addresses (seems like a bit of an arbitrary character to have chosen for that reason tbh) - but the plus thing is genuinely really useful.
|
|
#
?
May 15, 2018 21:19
|
|
|
big fan of plus signs and periods to get multiple free trial months of services here.
|
|
#
?
May 15, 2018 21:30
|
|
|
The third one that I think still works is googlemail.com is an alias of gmail.com
|
|
#
?
May 15, 2018 21:31
|
|
|
yeah, and it prevents an attacker from registering all of those typos and then impersonating the target address
|
|
#
?
May 15, 2018 21:32
|
|
|
i solved the problem of "people with the same name using my email" by having a common-as-dirt name and therefore never having the chance to grab the my.name@whatever.com address life hack: don't be interesting in any way whatsoever
|
|
#
?
May 15, 2018 21:36
|
|
|
Trabisnikof posted:Mailing out magic links isn’t a big deal if you’re going to give that same email address the ability to do password resets anyway. yeah, i thought about that as well but its maybe a more obvious tell when netflix sends an email saying 'verify your new netflix account we need you to interact with this' to an email that already has an account than if they just jump to 'click this link and theres no guarantee well present you with or youll notice any differences in credentials"
|
|
#
?
May 15, 2018 21:43
|
|
|
CRIP EATIN BREAD posted:someone signed up to farmersonly.com with my email. Holy poo poo me too. And a dirt bike forum. And a "large black ladies" dating site. Then there was the guy in the UK who used my email on a car loan application; I love how much sensitive personal information they started sending to me once he fell behind on his payments
|
|
#
?
May 15, 2018 22:02
|
|
|
How exactly does this netflix "exploit" work? You get an email saying that youemail+lolnotreally@gmail.com netflix account has an invalid card on it and asks you to provide a new one... so you click a link to netflix and it asks you to log in, and you log into your normal account instead of the one with the expired card... and everything is fine? The only way I could see this being an issue is if netflix send out a magic link that logs you into an account and lets you access billing details with no verification what so ever. If that's the case then there seems to be a pretty obvious fix.
|
|
#
?
May 15, 2018 22:05
|
|
|
yeah the issue is netflix not verifying emails
|
|
#
?
May 15, 2018 22:07
|
|
|
|
| # ? Apr 29, 2024 18:26 |
|
|
Trabisnikof posted:yeah the issue is netflix not verifying emails No I mean, even if they don't verify emails, I don't know the password to the account with dots in it. I can't add a new card to that account even if I wanted to since I can't log into it. Netflix would have to be sending out an email that not only logged you in automatically without providing a username or password, but also gives you access to billing details. It's not uncommon to request a password a second time when accessing sensitive account information such as card and address details, even if you're already logged in. The idea that netflix would provide a link that bypasses any sort of authentication seems like the glaring issue here, if that's indeed the case. What am I missing?
|
|
#
?
May 15, 2018 22:11
|
|