Another title for this submission could have been:
"Massive Security Hole in ChunkHost. Non-2FA accounts can be owned."
Because it turns out anyone with a Sendgrid Support account also effectively had potential access to any account at ChunkHost not using two-factor authentication. Which is also true of thousands of other companies that are relaying their password reset emails through third party SMTP services.
SendGrid seems lame, for allowing this and for their response promising to yell more loudly at their support people, but they're an SMTP relay service not an authentication service.
I've recently tried to use their service to send emails, club member newsletters. I've never thought much about bulk e-mails before and I thought it was a "solved problem" by now. Sendgrid are well known so they were my first choice.
During initial testing I found both bugs in the API and missing functionality. I've worked over 20 years with IT and yet sendgrid support is easily on the top-3 list of my worst support experiences, a total waste of time.
We ended up using mailgun instead and so far it looks much better.
We looked into sendgrid and also went with mailgun. Been with them for over a year now. Originally started with their mailing list API but had enough service delay problems that we were considering switching entirely. Don't remember exactly but may have had some outages as well. Their support suggested we change to using their batch sending API instead and I'm glad we stuck with them because it's been solid for over 5 months now. (Well they did just have two issues recently, ssl cert and duplicated email sending but it didn't affect us too much.)
Overall they've been a good service provider and their tech support has always been helpful and pleasant to deal with. (I know! Crazy, right?).
Are there any web hosting companies that don't rely on the "send a reset link to your email address on file" model of password resets?
You're right, that model is deeply broken if anyone can intercept those emails (as happened in this case), but it seems unfair to single out ChunkHost for criticism.
With that same logic in mind - we could say that anyone working at amazon AWS or Rackspace (or any other hosting companies) could gain access to your application.
The thing is we trust these companies to have processes in place so that their representatives won't have the ability to potentially do something destructive and if they can because they are the highest ranked rep and they need that kind of access - then at least auditing and training should be in place to avoid that kind of behavior.
SoftLayer still asks for admin/root passwords to your boxes in pretty much any support scenario. Their ticketing system actually has a field for it in the submission form.
If you omit it, the assigned tech will frequently ask for it. Always sends a little shiver down my spine.
I don't see how this was specific to ChunkHost, or how anybody else using SendGrid and supporting password resets through email wouldn't be vulnerable to the same attack... Since presumably password reset emails aren't outside SendGrid's target market, it seems reasonable to suggest that this is a problem SendGrid should try to fix.
Generally, an outsider doesn't care that you got owned because someone you relied upon got owned. They consider it part of your job that you make sure all the people you rely upon are reliable.
Depends on what outsider. Sure, for your customers, everything is your fault. But as an outsider that is also building services with email components, I do care exactly how they got owned so that I can think about which part of their systems were actually problematic.
"Massive Security Hole in ChunkHost. Non-2FA accounts can be owned."
Because it turns out anyone with a Sendgrid Support account also effectively had potential access to any account at ChunkHost not using two-factor authentication. Which is also true of thousands of other companies that are relaying their password reset emails through third party SMTP services.
SendGrid seems lame, for allowing this and for their response promising to yell more loudly at their support people, but they're an SMTP relay service not an authentication service.