
How not to send password reset notification email - slaven
http://scriptogr.am/slaven/post/how-not-to-send-password-reset-notification-email
======
Avestan
In their Security Notice they write "Never click on 'reset password' requests
in emails — instead go directly to the service". And after I changed my
password I received confirmation email saying

"This email confirms your recent Evernote password change.

If your Evernote password was changed without your knowledge, then please
click the link below to change it again:" And big "Reset Password" button.

A bit funny as they just told me to never click on something like that.

~~~
melvinmt
It's a test.

------
LaGrange
This is more generic: if you do link tracking in your email, do it through
your own domain, it's really not that hard, and urls that go through some
other business are a huge red flag.

Personally, I probably cut people a bit of slack by going through whois to
check if the domain belongs to some well-recognized mass mailer, but I
wouldn't blame the MUA for just spamming anything that mentions a "login"
along with a domain that isn't a descendant of the sender's domain.

~~~
rorrr
It's rarely up to a developer. For websites with large email campaigns there's
usually a third party system, which has some link tracking feature. And guess
what, your marketing department is using it, and they don't want to switch to
your custom one (which will take a few months to code, debug, implement all
kinds of reporting compatible with what they do now).

~~~
signed0
In this case one could simply write a script that forwards the request from
your own domain to the third party system. It could be done on the server in
such a way that the user would never leave your own domain:

1\. User clicks
[http://links.example.com/?redirect=example.com/reset_passwor...](http://links.example.com/?redirect=example.com/reset_password)

2\. The server running on links.example.com makes a request to the third party
web server

3\. The server redirects the user to <http://example.com/reset_password>

~~~
akaBruce
If the server running on links.example.com, wouldn't the 3rd party web server
lose out on doing things like setting cookies in the client's browser or
determining their rough location via IP address?

Not that I'm particularly a fan of either practice, but there's probably some
use cases there that would have to be accounted for in some way that the 3rd
party service could accommodate.

~~~
signed0
If that were needed perhaps links.example.com could display an iframe
containing the third party site.

I agree that neither approach is ideal, but it would prevent users from
receiving third party links in their emails.

~~~
jlogsdon
Those cookies would be blocked for browsers with 3rd-party cookies disabled,
and Firefox is making that option the default at some point in the near
future.

------
jere
Three years ago, 37signals wrote an email saying all users would have to pick
new user names and passwords (I guess changing to a single sign in across all
apps).

It was fairly well written, but I _swore_ it was an elaborate phishing scheme.
Here is an example of one of the URLs they used:
<http://37signals.cmail4.com/t/y/l/uiulli/kkulljtjr/d>

Now looking back, it's clear they were simply using a redirect URL to track
clicks, but I had no clue. You can't even go to cmail4.com without getting an
error and no description about what the service is.

------
cnu
I didn't even get the email from evernote regarding the password reset.

Luckily, I had the evernote app sign me out and asking me to login again
(which didn't work with my old password). I had to login through the website
and it prompted me to change my password (no link on why) and then it worked
with the new password.

I searched through my email trying to see if any email got eaten by the spam
folder, but none, "No emails".

~~~
jonathanjaeger
I have a feeling they're sending them in batch emails. I just got mine this
evening after a lot of other people.

------
veidr
Just an interesting tidbit I noticed: I received several of these mails from
Evernote, as I have multiple accounts (including some I set up for others).

Up until about 28 hours ago (4AM March 3 in Japan), all the embedded links
were the bogus, phishing-esque URLs that the OP complains about.

As of 22 hours ago (10AM March 3 in Japan), the emails look the same, but all
the links point to <http://evernote.com>.

So at least somebody at Evernote did notice (or read this post or respond to
similar complaints), and correct the situation in the middle of their
50,000,000-user email campaign.

~~~
slaven
That is really good to hear - all it took was probably a single checkbox in
their email marketing software to not rewrite all emailed links.

------
theyCallMeSwift
Couldn't Evernote just use a CNAME record on a subdomain that pointed to
mkt5371.com? I know that's how the SendGrid click tracking app keeps the links
on your domain (<http://sendgrid.com/docs/Apps/click_tracking.html>)

~~~
bpatrianakos
Not if the domain is always different. I've seen transactional email providers
who will give you a different domain or subdomain for each email and it's all
real random. I'm currently using Mandrill and I haven't checked if its true
for them but I know its true for others.

~~~
apendleton
That's a fairly arbitrary engineering decision, though. Using a CNAME for link
tracking seems like an obvious use to accommodate, and you'd think providers
would build their services with that in mind, or at least be able to tweak
them once a demand presented itself.

------
cynwoody
Quite moronic of Evernote.

HTH is J. Random User supposed to figure out that mkt5371.com is a service
hired by evernote.com? A minimally alert user would click the Report Phishing
button upon mousing over.

By including a link that happens to do the right thing, Evernote is
conditioning its users to succumb to phishing in the future.

------
nonamegiven
I got a reset message from Evernote, and I didn't even remember that I had an
account. I must have tried it for my typical 30 seconds to conclude "meh" and
moved on, then forgot it. I'm still not 100% sure what they do beyond ... note
taking?

But I initially assumed it to be ballsy phishing, a brazen attempt to
capitalize on Evernote's current trouble. Why? BECAUSE IT HAS A FUCKING LINK
TO THE SERVICE IN THE EMAIL! That's the very minimum definition of phishing.
Sheesh!

I hovered over it, saw that it was to evernote, but hovers can be faked, and
my intuition and experience told me that this smells like phishing no matter
what. Sheesh.

~~~
evilduck
Synchronized note taking. That part's nothing too special. The killer feature
for me is they do OCR on your uploaded pictures, which makes saving whiteboard
drawings and back-of-napkin diagrams a breeze, or for snapping pics of
business cards and then having searchability over the contents.

------
bpatrianakos
Great points and something I've been studying and trying to perfect myself for
my own service. So while I couldn't agree more with the author's position, I
think the unfortunate reality is that there's only a very small minority of
users who would know any better anyway. It's mostly just people like us would
know better. Everyone else would just click because there are no spelling or
grammar errors and the email is branded properly.

This raises the question of how to educate users. I think we may be confusing
them. I don't know about everyone else, but I teach non-technical people not
to trust emails that ask you to reset your password when you didn't initiate
the action. I always teach, as many of us do I think "don't click links in
emails unless you know the sender personally or have requested the link" but
then in cases like this we have to go back on that statement and say "well
this time it's okay" and while we have really good and logical reasons for
why, I don't think we can expect non-techies to understand it. To them it
sounds like a contradiction, like "don't click links in emails except when I
say it's okay". Then even if you teach people to check where the links are
going (good luck) you've got to also teach them about domains, subdomains, and
maybe even query strings. It's just a huge mess and I'm at a loss for how to
educate people when it comes to a situation like Evernote's regardless of
having link tracking or not.

------
DocG
worst cases of emails I have gotten are from Sony. For example, Planetside 2
beta acceptance letter came from info@e-sonyonline.com and without ANY
personal information. It was the most generic official letter I have received.
Link to download PS2 was also from link.e-sonyonline.com. I disregarded it
first, only after a while, discovering it was genuine. And a lot of people are
having doubts about this aadress, just google it.

Also, their password reset letter comes from something like
contact@p7s1games.net. I usually disregard everything like this automatically.
Luckily reset link is planetside2.eu.

------
kybernetikos
Offical email should _never_ include links (unless it's signed, but what is?),
the potential for trouble is just too great. I had this exact same problem
back in 2003 from a financial company. I wrote them a serious email telling
them just how dangerous it is to teach your users that it's OK to click on
links that don't even go to your domain in random emails. I even showed them
how easily I could create a phishing site.

The person who organised the email drop clearly got some hassle over it and
sent me a response personally, but clearly still did not understand the
problem.

~~~
unclebucknasty
I guess here Evernote figured any instructions they sent would have resulted
in a link being sent anyway, so why not just send the link and ensure a higher
shot off compliance.

They seemed to have forgotten about phishing.

Some sites have taken to including in such emails account information that
presumably only the company would know (such as part of the account number)
along with the name. I know of at least one bank that does this. The idea, of
course, is that the user can then verify that it must be coming from the
company.

This can be reassuring when the email is legit, but the problem is that it
requires the user to remember for subsequent emails that such information
should be present. So, if a phishing attack comes, will the user stop and
think, "hey, where is the personal account info?" Some will, but many won't. I
mean, if a user can't be trusted to follow a simple set of instructions (thus
needing links), then how can he be expected to remember the security policies
of every company for which he is a customer?

~~~
kybernetikos
Not to mention that most email has roughly the same security level as a
postcard. There are a lot of personal details that I wouldn't want written on
a postcard.

Not to mention the fact that lots of 'personal information' is not in fact
private, e.g. date of birth (one of my financial accounts uses date of birth),
mothers maiden name, social security number, etc.

~~~
unclebucknasty
True that. I often think of how many services ask for the same info as
"security questions". By definition, if there's a "standard" set of such
questions, it's not secure.

------
logn
I also hate when unsubscribe from spam is on a different domain than the
business, using a 3rd party email/marketing company. And I hate how "enter
your email to confirm unsubscribing" is pretty common.

~~~
pooriaazimi
If I can't opt-out of a mailing campaign by just clicking a link, I'll
invariably mark it as spam.

------
ringmaster
I was disappointed by this headline. After resetting my Evernote password this
morning, I was looking forward to reading about a new technique that would
allow me to avoid password resets in the future. Oh, well.

Is anyone working on such a thing?

(While I'm thinking of it, wordpress.com's password reset should be shot. I
get several emails a day because it allows resets by username instead of email
or username+email. This whole password issue needs some better minds assigned
to it.)

------
unclebucknasty
Should also be using SSL so querystring is encrypted.

~~~
apendleton
It's in an email message, which has probably already made several hops in the
clear, so that's probably a lost cause if they're looking for actual security,
but a nice idea, I guess.

~~~
unclebucknasty
True, but getting everyone on signed/encrypted email is a much more massive
undertaking than just sending an https link.

To your point, as long as straight SMTP is involved, there will always be a
gaping hole. But, sending https links is a very cheap way to prevent making
the hole even bigger.

Anyway, all of this underscores the fact that virtually nothing that Evernote
did was secure. But, most companies probably wouldn't have done much better.

