Hacker News new | past | comments | ask | show | jobs | submit login
Finding vulnerable Twitter accounts with expired domains (zainamro.com)
196 points by zainamro 34 days ago | hide | past | favorite | 125 comments

At some point in time we decided that email addresses control the keys to the kingdom. If you lose access to your email, there goes your social media accounts, your bank accounts, your gaming accounts, and potentially many of your commercial accounts as well.

And then we decided that custom domains are the most professional. Which does make sense, there can only be one 'robert@gmail.com'. But, this is coupled with the idea that domains can expire, and that expiry does not appear to kill the identity that's potentially associated with the domain.

We should not be using email addresses as our primary source of identity verification in the first place. And we definitely _should_ have some way to globally declare that an identity has been compromised. Especially given our society's track record of keeping database safe from breach.

I more or less assume it is inevitable that one of my major accounts will be compromised, and that this will be able to cascade into most of my major accounts being compromised. I do what I can to protect myself, but gmail as a single source of failure makes me nervous. Using any email provider besides gmail makes me even more nervous, because they don't have the full power and knowledge of Google protecting their databases.

There are other aspects here.

If you use a third party service for your email ID, the third party can ban you or like you mention - disappear and basically take your identity away.

If you rely on national ID cards, you have another set of problems.

If you rely on phone numbers, these can be sim-jacked.

If you rely on bio-authentication methods, you risk your privacy especially when the master database gets compromised.

Relying on any single source seems to be a recipe for disaster. Perhaps the solution is to have multiple ways to authenticate yourself, with different levels of credibility and to let as many of them survive as possible. Phone numbers and email IDs seem to have similar levels of credibility, but I haven't seen domain name service providers take to phone number authentication as much as I would have liked, but things are looking up. Alternatives could be backup codes, which some registrar's use if you have 2fa enabled.

I think the usual suggestion is a public/private keypair. You then sign accounts saying they are yours.

This would also allow you to have multiple identities in cases where that is useful.

I've heard of various groups doing this under blockchain (of course) which is a way to solve the problem of publishing the details, but in many cases you don't really need that. It should be enough to make a key and get involved, like Bitcoin.

The issue of course is that if you lose the key(s) you have a major problem, whether they're just lost or stolen. This is probably solved with MFA but it's not a solution if that opens up other attacks.

For me, email has much more credibility than phone numbers.

The email market has worldwide competition, phone providers compete at a local level only. You can choose from thousands of different email providers, while phone provider choices for any given person are ~5.

The effective 'god' of domain names is IANA, which, while imperfect is more trustworthy than the 'gods' of phone numbers: local governments and telcos.

>If you rely on bio-authentication methods, you risk your privacy especially when the master database gets compromised.

It's my understanding that these methods (TouchID, FaceID) don't actually store your thumb prints or images of your face rather they store hashes of the output. Similar to how passwords should never be stored in plain text.

Its more than a hash since it needs to be able to match similar inputs (face at different angle, partially obscured), its probably just a bunch of raw measurements but not actually a photo of your face.

The upside is its only stored on the device itself and not in a master database and also isn't used for any remote authentication so can't be exploited by hackers over the internet.

Theory: it can be a hash of measurements of the face, rounded to a certain precision.

Rounding drastically reduces the search space of possible values. A cryptographic hash is no good if you know that the original message can only take on a finite set of values that can easily be enumerated.

The problem is that every new source of identity added is another new attack vector. If there are 10 different ways for me to prove I am who I say I am, it only takes a security flaw in one for my account to be compromised.

If you set login to require 3/10 then 3 of those ways would need a security flaw before your account is compromised.

and then you'd need 3 factors just to log in, let alone any additional MFA those have

Yeah, I guess it could be inconvenient. On the other hand for many things I don't need to log in very often due to cookies keeping me logged in.

You point out some problems, but how do we actually do these?

Without emails as the keys to the kingdom, what would you use?

Without a global identifier for a human person (like social security in the US), how would we declare that an identity is compromised?

While I believe your ideals are well-intentioned, I think they're impractical in our current society.

I would propose that an email is the key to the kingdom, that people running custom domains and use them for email must deposit $500 in registration to do so (to ensure the domain is registered for their lifetime), and that they should be protected by a password plus 2FA with your phone being the other factor. And I propose that each person should be uniquely identifiable by an email address stored in a global publicly-accessible database.

I would suggest having a bank or similarly regulated institution manage identity recovery. They can declare a login invalid, and they can go through the process of KYC (drivers license, SSN, in-person visit, etc) to get you a new identity.

Think Facebook login except instead of tab unrestricted entity that steals every piece of dignity it gets its hands on, its a bank or legal custodian with strict responsibilities, penalties, and insurance in case of identity theft.

Central regulation of the identification is also subject to central censorship, discrimination, and oppression.

> Without emails as the keys to the kingdom, what would you use?

PKI. Service providers shouldn't give you access to an account just because you can prove you control an email address (during a narrow and predictable time window, no less). The simplest thing would be to encrypt the relevant part of the payload (the one containing the password reset link), so resets are only possible if you can receive the email and have the means of reading it in its "true" form.

Failing that (suppose you've not just lost your password but also the ability to decrypt the contents of the message), there should be an alternative, but the threshold for proving your identity should increase. It would ameliorate a lot if it meant that people had to show up in person somewhere. E.g., I show up at either the business's local branch (if there is one) or the USPS (or...) with my photo ID. From there, an attestation is generated that you really are who you say you are, and only with that attestation will your account be unlocked.

But Photo ID was forged long before the computers came along. There's always some way of getting around the security if you really want to. That is part of why we don't want to give in to electronic voting even though we work with computers.

This is not a retort. The claim is not that photo ID is unforgeable. The claim is that "it would ameliorate a lot if it meant that people had to show up in person somewhere".

> Without emails as the keys to the kingdom, what would you use?

From Ursula K. LeGuin's indispensable "Dispossessed":

“You're really much too polite for ...”

“For what?”

“For an anarchist,” she said, in her thin and affectedly drawling voice (it was the same intonation Pae used, and Oiie when he was at the University). “I'm disappointed. I thought you'd be dangerous and uncouth.”

“I am.”

She glanced up at him sidelong. She wore a scarlet shawl tied over her head; her eyes looked black and bright against the vivid color and the whiteness of snow all around.

“But here you are tamely walking me to the station, Dr. Shevek.”

“Shevek,” he said mildly. “No `doctor.'”

“Is that your whole name — first and last?”

He nodded, smiling. He felt well and vigorous, pleased by the bright air, the warmth of the well-made coat he wore, the prettiness of the woman beside him. No worries or heavy thoughts had hold on him today.

“Is it true that you get your names from a computer?”


“How dreary, to be named by a machine!”

“Why dreary?”

“It's so mechanical, so impersonal.”

“But what is more personal than a name no other living person bears?”

“No one else? You're the only Shevek?”

“While I live. There were others, before me.”

“Relatives, you mean?”

“We don't count relatives much; we are all relatives, you see. I don't know who they were, except for one, in the early years of the Settlement. She designed a kind of bearing they use in heavy machines, they still call it a `shevek.'” He smiled again, more broadly. “There is a good immortality!”

Vea shook her head. “Good Lord!” she said. “How do you tell men from women?”

“Well, we have discovered methods...”


The five- and six-letter names issued by the central registry computer, being unique to each living individual, took the place of the numbers which a computer-using society must otherwise attach to its members. An Anarresti needed no identification but his name. The name therefore, was felt to be an important part of the self, though one no more chose it than one's nose or height.

That seems vulnerable to the Spartacus attack.

The denizens of Anarres don't own any personal belongings, having abolished private property. A cheap trick to circumvent bad actors.

But a name must have some use, or why have one?

Non-physical things such as a reputation can be stolen or at least borrowed, too.

There's a difference between an email address and a social security number in a way that the latter will still be around if you stop paying for it or something happens to you. In some way (at least for this threat model) a gmail address is better than one on your own domain as it's unlikely to go away or get taken over.

You can get locked from Gmail if Google decides to suspend your Account. It has already happened to lots of users, even G Suite ones and good luck trying to get it back.

Examples on HN: https://news.ycombinator.com/item?id=22146082



Google reallly sucks in this regard. You can also lose your account if someone hacks it and google cannot determine who it belongs to, so it belongs to no one despite not being suspended.

Until Google decides to recycle unused account names: https://www.wired.com/2013/06/yahoos-very-bad-idea/

Why should my own domain taken over. It can be taken over as easily as someone could take over my gmail.

I use my own domain on my own server with my own running mail server. Why should someone take that over?

Of course someone with state level hacking experience could do that, but I am not a target for those. Script kiddies have no luck, because you can't even login from the Internet into my server you will need to VPN into first.

My point wasn't about how gmail is perfect but that things that are under your control (domain you have to pay for, needs interaction from time to time) are more fragile sometimes than if they are not (social security number isn't going away).

That's the whole beauty with your own domain. They don't have to touch your server at all, it's enough if they can social engineer their way into your account at the DNS provider and point your domain to their own email server. Your security isn't even considered in this case. The only thing that can save you there is how good the DNS security is.

Unless Google arbitrarily decides to close your account (as has been known to happen) with no way to contact a human to correct things...

I want a private key embedded in a chip, that never leaves that chip, so all encryption and decryption happens on that chip—similar to how chip-and-pin credit cards work now. I'm identified by the corresponding public key. Then I want to embed that chip in my hand. Then I can unlock my car, house, computer, or phone and sign into any online service the same way: you send me a challenge token, I sign it with my private key then send it back.

And when I lose that chip, or it is damaged or stolen?

I guess the approaches taken with U2F tokens here (and FIDO2) makes sense - have more than one token enrolled, and allow either to be used.

It's not perfect and there are usability issues around this, but they're mostly solvable. Needing both keys around to enrol into each service can be an issue, but this could be addressed by letting a user enrol other public keys as a delegate, and present a signed delegation token allowing that token to enrol a public key on behalf of an off-site token.

Revocation is the next issue - how do you revoke either of your tokens if stolen or compromised? PKI had this issue and ended up down the CRL Vs OCSP approaches. Clearly you need to be able to revoke without the token being present (maybe storing a signed revocation for A on your B token), and some kind of gossip-based network to spread the signed revocation around. That might avoid centralising it.

As long as your "chip" is designed as an ISO smartcard, you can also rely on pin protection (I'll ignore the implanted under skin aspect, other than to observe that does adjust the threat model as deniability around knowing the PIN is lost at that point. A duress PIN that validly unlocks but generates different keys would be a potential solution here for where mistaken identity can be used as an escape from an adversary).

Yeah, I just can't see getting my 75 year old dad to be able to use a system like that.

Agreed, although most of this will end up wrapped up into the token and system itself, I suspect.

U2F is pretty much a "key" (some even visually looking like keys) that are used pretty much like a physical key - put the key into the keyhole (USB port), and press the flashing light. Done.

That level of UX is what we all need to build towards!

Well, lost or stolen hopefully wouldn't happen if it's embedded in my hand—that's the point of embedding it in my hand!

To protect against damage—which is a very real possibility, of course—I'd put identical chips in each hand, and if one fails or gets damaged, then you'd have to rotate keys by replacing both chips.

And you could have a third identical chip/key (or a different private key on another device in a safe somewhere) as a further backup, as my sibling comment recommends.

I prefer losing the keys to my email than to lose my hand because someone wants to empty my bank account.

I'm not really conerned about that scenario, to be honest.

The security and privacy implications of this are horrifying to me, as are they to enough of the population that I doubt this will get widespread adoption.

Putting aside the embedded beneath the skin aspect (I share your concerns), this concept can actually work - see FIDO2 and U2F protocols. They're actually pretty good from a privacy perspective too, and give you unlinkability between services (as the key you present is derived from factors including the verified origin, i.e. URL, of the resource you're authenticating to).

Clearly the verified URL origin of something in the real world is complex, but there are ways to potentially make this work. Devices might have certificates for a URI, and this URI could be verifiable and convey attributes like the GPS coordinates to within 25m, that you can verify before authenticating. Users could presumably also whitelist certain origins (garagedoor.home.mydomain.net)

All of this apart from the subdermal part actually could work out well - a small number of people already do this via U2F, or even traditional smartcards.

I've thought about this a lot—I'm very interested in both security and privacy, so I wouldn't want to do this if I thought it would compromise either.

My current solution is that the device has three functions: encrypt/sign with private key, decrypt with private key, and send public key. They would be protected by a PIN—probably a six-digit alphanumeric pin. You might want to rate limit PIN attempts to one per second, as well.

With this scheme, I can't see how it would compromise privacy or security. No one can just scan your hand and know your identity, since you need the PIN to get your public key. And since all encryption/decryption happens on the chip, the chance that your private key gets stolen is pretty much as low as possible.

If you see any flaws with this scheme—I certainly wouldn't be surprised if there are, I just can't see any right now—please critique away!

This is a solved problem in many other countries. Instead of proposing some new solution maybe it would be better to copy an existing which has already proven to work.

Without sharing examples, this is effectively a non-answer. Thanks for the comment.

In Sweden, BankID covers well over 90% of the population between ages 20 and 60 with a unique electronic ID. (Including 98% of those between 20 and 40.) It supports identifying yourself with a credit card and pin using a card reader given to you by your bank or alternatively (and more commonly) a pin combined with a smartphone/computer that you have identified as being yours.

BankID covers well over 90% of the population between ages 20 and 60

What do the other 206,868 people do?

If a similar system were implemented in the United States, that would leave 6,514,383 out. What do you do with six million people who can't be part of the standard ID scheme?

In 2015 9% Americans had never sent an email. https://fivethirtyeight.com/features/lindsey-graham-isnt-alo...

And as a result we have a lot of bank accounts hacked over phone because people don't know how to use it. Or more importantly how NOT to use it. All it takes is a phonecall to someone, tell them someone is trying to hack into their bank account and they need to hurry and ID themselves because the thief is running off with their pension. The police get these kinds of cases every day.

I love BankID but I have been using it since the start and know the pitfalls to watch out for. Most people does not know the problems though.

You're going to have a hell of a time trying to sell that to 50 states and a handful of territories, all of which can't even implement REAL-ID properly.

What agency manages BankID in Sweden? I would imagine in a better world, the US Postal Service could be doing some of this work in the states at a federal level, but I wouldn't get my hopes up.

I'm not here to babysit you. If you were serious about wanting to make a suggestion you would have started by looking at the current solutions. Not doing that is just a waste of screen estate.

Maybe there should be some transparent way for mail servers to request public encrypted keys to an email address and any incoming mail gets decrypted by the private key. So if someone hijacks your domain any password reset emails should be gibberish unless they magically got the private key, in which case you have worse problems.

This is the only technique I think might work till someone social engineers people at Twitter.

CAEP provides this to some extent https://openid.net/wg/sse/ - but now you're asking for a whole bunch of systems to be able to talk about you in back channels which other people will find fault with.

We should be using biometric markers filtered through homomorphic encryption.

This way we can verify/prove our identity without handing over those markers to multiple 3rd parties.

Biometrics are unrevokable. If yours are compromised through some other way then you can’t trust biometric authentication for the rest of your life.

But that doesn’t matter! I hate this argument because it misses the point of biometric authentication as “something you are.” There’s no such thing as compromise or revocation. It’s a piece of public information that can’t be stolen or used by anyone other than yourself.

The world can have high def scans of my fingerprint for all it matters, they can’t produce a living human finger with the same print. And if you can’t reasonably ensure that you’re taking a reading from a living human then you shouldn’t be using biometrics.

Biometrics is not transmitting a picture of a fingerprint, it’s presenting your hand.

Having your email secured by a password locked by a device you trust doing biometric auth is perfectly fine. Having a website somehow store your print isn’t.

> Biometrics is not transmitting a picture of a fingerprint, it’s presenting your hand.

What would this "hand data" look like? A 3D model of a hand MRI or X-Ray?

Based on my understanding, in any form of biometric authentication, some amount of static data (i.e. the biometric database is not receiving a secure, updating feed of the state of your hand/body) is stored on the server and compared with the data transmitted for authentication. Biometrics change (fingerprints can be rubbed off from gardening, DNA mutates, etc.), so this static biometric data is something that is mostly environment-invariant.

If someone can compromise your "full hand scanner" or compromise the biometric database (which will inevitably happen), then you are compromised for life, since you cannot change your hand.

> If someone can compromise your "full hand scanner" or compromise the biometric database (which will inevitably happen), then you are compromised for life, since you cannot change your hand.

Suppose this happens. The world now knows all of your fingerprints. And at some point in the future you walk up to the desk of a datacenter where there's a security guard who phyiscally takes your hand, inspects it, and places it on the scanner. Can someone other than you pass this check?

Biometrics are a hard, mostly unsolved the problem, because the hard part is replacing the human security guard who verifies that you're scanning a real person's hand. For not super security sensitive applications TouchID, FaceID, and friends are good enough because most people aren't in Face Off or Mission Impossible.

> It’s a piece of public information that can’t be stolen or used by anyone other than yourself.

The point here is that this is completely wrong. Biometrics can be stolen and they're unreplaceable. There's no device in the world that can be sure it's reading a fingerprint from a living human. Drop a quick query into Google, you'll find dozens of methods that fool Apple's TouchID and that's probably one of the more robust implementations as it makes it rather difficult to do something like replace the sensor and feed in fake data directly to the system. There's only so much you can do to tell human flesh from inanimate objects when all you have is a tiny fingerprint sensor.

> Biometrics is not transmitting a picture of a fingerprint, it’s presenting your hand.

Biometrics is read with sensors, sensors produce data, data can be copied. If you were to publish scans you would have effectively allowed anyone the information needed to fake your fingerprint and authenticate as you. That's the definition of compromise.

Encryption isn't about making something impenetrable, it's about making it more difficult. For example, modern encryption is very difficult for present-day computers to crack, but won't be that hard for quantum computers to crack.

Also, you're discounting the possibility of multiple layers of biometric + non-biometric authentication. Password/Private-Key + retina scan + left big toe-print scan >= Password/Private-Key.

I also think there are ways to authenticate your identity outside of static data-points if there's a trusted 3rd party real-time system involved.

If you take the position that nobody, even a human sitting at a desk taking prints by hand, can verify that they’re reading from a living human then biometrics and every “something you are” auth is totally useless for all applications.

If you think of biometric auth as “the scan of your eye/hand/whatever is just a password” then I can’t help you and of course that system can be compromised. “Upload a PDF of your fingerprint" is the silliest auth system of all time.

> “the scan of your eye/hand/whatever is just a password” then I can’t help you and of course that system can be compromised.

Unless you have a human to sit there validate that they're reading from an actual human, isn't this essentially what biometric auth is? Am I missing something here? No reasonably sized machine can certainly do the needed verification with the limited information they have.

Not to mention - if it were to be heavily relied upon for security for a very high value target, say one of those bitcoin vaults with hundreds of millions of dollars locked away, you can certainly envision a world where you could get grafted silicone fingertips installed by a plastic surgeon that would likely fool humans based on the exact sort of data leak we discussed.

I totally agree with you, this is why biometrics are this weird open for machines, but solved for humans problems. If you don't trust the scanner then it's useless. Depending on your threat model you can do really fancy stuff like retina scans that detect blood flow and temperature or TouchID for less-sensitive stuff like a screen lock.

> You can certainly envision a world where you could get grafted silicone fingertips.

If you built a system that's so secure that this is the lengths you have to go to beat it then you would be an overnight billionaire if you brought it to market. Like at this point you've achieved human-level verification. Assuming it was small enough to go in phones it would be revolutionary!

It sounds like both your biometric information and your password is actually stored on your local machine, then.

What happens when you lose the local machine?

Indeed. What if you are a super responsible person, but there is unrest in a Country you are visiting or live in, through no fault of your own and you are unable to pay a renewal. Or you fall sick and go to the hospital.

At minimum register a domain and email forward the wildcard address for it to your daily driver. Use this for important things and don't forget to renew.

Edit: you can do all this on namecheap pretty easily.

2FA works well in many instances if your email gets hacked

"assume that a public key cryptosystem exists"

Some organisation will try to own it and then users will be at the risk of getting banned and losing themselves.

Gmail is only a single failure point if you let it be one though - set up 2fa on all your accounts, and this problem is solved.

Google bans/locks/deletes accounts for arbitrary reasons all the time, with absolutely zero recourse for the user.

This domain hijacking idea reminds me of an incident with Google I discovered a couple of years ago that landed me a bug bounty with them. I found out they created email logins with a not-registered domain for their candidacy account. I ended up registering that domain and "sold" it back to them in good faith. At least I can die with a smile on my face -- I once sold Google a domain.

details: http://www.tnhh.net/posts/gcandidate-who-is-interviewing-wit...

Did you get the job you were looking for?

Even though they show the starred email address and one of the suggestions is not to show the email, I really hope people don't do that.

There is nothing more frustrating when you're recovering your password and the site says we have sent you an email with no hint where and even worse sometimes they say "if that email was in our records then you should get the link" and you're wondering did that work and #1 worst is after making me solve 10 traffic lights and zebra crossings.

Because at that moment I feel it's just easier to start over and create a new account.

I don’t think you having to either A) remember what email you used or B) creating a new account is a big ask when the alternative is leaking your account presence on a given system. Not everyone wants other people to be able to essentially query a given app for an email account.

The vast majority of people don't use the same e-mail address for their entire lives.

You're right. An example use case.

Monitor having issues. Google solution. Land on a forum, but to see the full post / solution it requires email registration. I register with a junk yahoo type email address. Complete the long form, solve all the traffic lights, etc. Then get the solution, make a few posts and probably forget about it.

Monitor having problem again after 2 years same forum but it says my very unique username is taken. Now, I vaguely remember creating an account but don't remember what email I used. I try to reset my password but dang, each time it says "If that email was in our db you'll get it". If I get a hint I used yahoo maybe I can resume and hopefully use my old account and some post count than starting a 1 day old account with 0 post.

So your idea is to always gives malicious actors additional information for account take overs so you can use an account with a non zero post count (not just non-zero, but only 1 or 2 as you insinuated)? Do you not see how naive that is?

Those users are already creating new email accounts, so creating a new e.g. FooApp account shouldn’t seem unreasonable to those users.

I think the vast majority of people use two... a personal one and a work one. Someone could easily check both for a person.

Amazon leaks iirc

I understand you feel that way, just want to explain why sites do that. If they give you a clear answer yes or no if it worked, others could check which emails are registered on the website. So in order to leak the information on who has an account or not, they are ambiguous with their answers if the recovery was triggered or not.

It's, as always, about a balance between faster user experience and more extensive security features.

Oh, much better is the "you tell us what email you told us" approach.

This was a common way to harvest 6-digit ICQ numbers back in the day. Hotmail, MSN etc. had expiring email addresses as well that you could register to reset the password to the ICQ number.

Yeah this has been a common attack since as early as I can remember. Company goes bust? Wait for their domain to expire then register/catch-all and start seeing what mail you get from websites to see where there’s accounts using that domain. Also plenty of more targeted methods too.

I wonder if it would be useful to use Have I Been Pwned to find a list of accounts on websites using that domain.

oh yeaahh I forgot about the travesty of expiring emails on free services.

> I believe it accounts for a large portion of stolen accounts/handles on the platform.

I doubt it's a large portion. It costs money for each hijacked account, and custom domains I would assume are only used on a tiny fraction of accounts. The vast majority of stolen accounts I would attribute to credential stuffing.

What would be a universal solution to this problem? The only thing I can really think of is platforms not allowing custom domains for connected email accounts, but that seems sub-optimal.

If you deliver email to a customer and you notice that it bounces, any account security flows requiring access to that email should be disabled. Additionally, you should never show the full email address or phone number that is being used for an auth challenge. Nonetheless, those defenses will eventually be compromised.

Beyond that, it is not a company problem IMO. One of the most common uses for custom domains is custom email addresses. If a website prevented me from using it, as you propose, I would be flabbergasted.

I think you underestimate how often there are intermittent mail delivery failures, especially for custom domains.

On the user-side, using private email relays (i.e. Apple's Hide My Email, AnonAddy, etc) mostly eliminates this issue.

Instead of blocking custom domain email addresses outright, the site could require a secondary recovery email address from an approved provider when an email with a custom domain is used to create the account. Then any security interaction like password reset, or 2fa would go to the primary address and would send an alert to the secondary email address about the nature of the communication. There could be a link in the email (sent to the secondary email address) that could allow the user access to instantly lock the account and/or disable access to the account from the primary email address until the user updates thier settings. The secondary recovery email address should not be able to be changed without an email confirmation (to the secondary email).

Good practice for users in general is to use email services like gmail as thier login/account email and add thier custom domain emails in thier bio.

But what if the provider takes your account down? You end up with an unrecoverable account.

> Instead of blocking custom domain email addresses outright, the site could require a secondary recovery email address from an approved provider when an email with a custom domain is used to create the account.

No thank you, I don't want a mandatory backdoor for every government that might want to claim jurisdiction over one of those large worldwide providers.

> the site could require a secondary recovery email address from an approved provider

No. I have a domain precisely because of avoiding a monopoly, duoplily, oligopoly on my email. Any service that required this would have me walk. The footsteps of a single zhte415 may not be loud, but I feel, especially in tech, I would not be alone.

> Instead of blocking custom domain email addresses outright, the site could require a secondary recovery email address from an approved provider when an email with a custom domain is used to create the account.

Great, if we do this, we've done to e-mail addresses (and domains) what we've done to phone numbers. Some phone numbers, because of the carrier serving them, are "less than" others out of some (mistaken) idea that it's easier to get a bulk-load of phone numbers from some kinds of carriers and not others.

And then, what do you do when a new provider wants to join the scene? It already takes a year of process and documentation for a new certificate authority to get into most browsers and even then the adoption will be years in the making because most devices don't get root certificate updates. What's the process like for e-mail in your hypothetical? Does Hey.com not even bother because getting buy-off from even the top 50 account-based web sites takes forever?

> Good practice for users in general is to use email services like gmail as thier login/account email and add thier custom domain emails in thier bio.

Absolutely not. The entire point for using my own domain is so my identity is not irrevocably tied to Google. When Google can, and does, nuke my account from orbit on a whim due to some perceived slight, I have no recourse. I can't even sue because of the mandatory arbitration clause they slapped in their several-thousand-word terms of service.

cronjob to regularly check if the domain is expired/up for sale? The service "has this domain changed owners in a way it's relevant for logins" could even be turned into a SAAS startup... later to be extended to individual accounts (someone deletes e-mail acct, cancels phone plan, etc. then a new person creates a new one with just that name) One could strike contracts with all the e-mail providers and phone networks to tell via API when this happens and then send the info to services that use those accounts.

What would you do in this situation though? People still need to be able to reset their own passwords. And some accounts don't have any other means of contact. It's extremely common to only have an email address and a password.

If there is an alternative way available to reset passwords, support that one. If there is none, either lock the account, or give access to the handle but "delete" its contents.

What does "custom domain for connected email accounts" mean? Isn't every domain custom? Do you mean anything that isn't @gmail.com?

Yes, roughly speaking any domain you registered yourself.

2FA that can't be bypassed with a password reset?

This isn’t the workflow I see when trying the password reset process on an old account that I’ve recently tried to recover. I’ve forgotten both the password and the email address associated with the account, but I know the domain I would have used, and I own it so I could easily prove ownership of the email address if I knew what it was.

But when I click Forgot Password, it asks me for my username and also the email address before I can continue.

How do you get the email address hint like the article shows?

I am also not seeing the behaviour that the OP describes.

One has to wonder about sustaining access to a compromised account. Twitter in my experience has been very aggressive in asking to verify my account with a phone number when logging in from shady locations / with a VPN. What if you get access to an account using the method described in the article, but then days later get locked out due to suspicious-looking behavior / you don't have access to the phone number used to register the account?

you would remove the phone number after logging in. if it asks for the phone when longing in initially , then you are SOL. to prevent this, the hacker would make sure the location of the account matches the country of the IP longing in.

Anyone else have people sign up for accounts with your email address? I had one recently where I could access a working GrubHub account for a while. And in the spirit of lame on-boarding optimization and “churn” prevention, while I could have used it - I couldn’t cancel the account. That required the phone number associated.

I had someone create a spotify account on one of my emails with an old (clearly burnt) password as the the username.

Why? I figure that's generally either for spamming or viewbotting (Re: likes, stars, etc) purposes especially on sites that don't require email verification to do things.

Only every other day. Most I don't care about but the major social networks? Yeah, I'm closing those accounts down ASAP because of the id theft risk and what not.

This is how I used to get all kind of old ICQ numbers back in the 90s. Hotmail addresses, back then, used to expire.

Ironically enough, I've been vulnerable to the described attack afterwards as I had my own domain, didn't use it much anymore, and gave it away (to a band with the same nickname). Back then, a domain was pricey, and I was poor, so...

i dunno how this got to the front page. this is an extremely old vector and not even that effective given the tiny, tiny likelihood of finding a domain or account that works., It would actually be cheaper to buy an old twitter account from someone who does not his account anymore legit, than try to go through millions of accounts, which requires tons of proxies and other evasion methods. Twitter is not easily searchable and neither is google. Twitter has extreme rate-limiting measures, so you need a lot of proxies for this to work and those cost money.

> This attack can potentially be executed on other platforms besides Twitter, assuming one can find a similar discovery method

You don’t need another discovery method after you take their Twitter account and email :)

Only for targets not on twitter.

My point is that Twitter is probably enough.

But if you really just want to compare domain names that are expiring to email addresses, you can just use one of those business bots that spammers, recruiters and sales people use, and just check emails in their database to domains expiring.

My wife and I started up a small reselling business, based on our name. The dotcom for it was previously owned, but they let the domain lapse, but they still have the Twitter account (that has the web address we now own in their profile; they haven't posted since 2016). I tried an approach similar to the article, but they apparently used Gmail to set it up. (I reached out to them to buy it to no response; I assume that Twitter account has been orphaned)

time to add an underscore to the name

Or maybe see if they Have Been Pwned in the past.

What if we could have services encrypt their emails sent to us via pgp? eg Twitter (or anything else) asks for your public key and then sends all future emails using it.

Facebook does that if you add your key to your account.

Perfect! A true second factor. Not just some annoying gimmick, like SMS.

I've thought about this in terms of people passing away and the domain no longer being renewed afterwards.

10 years limit on domain registrations seems ridiculous, we need lifetime-span registration capabilities, at least.

This has been standing practice for a while and is not connected to just Twitter. Sometimes you can find public NDR's online via bug reports and such and easily grab a service account.

Heh. I did something like that: https://xach.livejournal.com/227751.html

On the plus side, it's heartening to learn enough people use non-GMail/Outlook/Yahoo/WhateverSilo email addresses to make such an attack viable :)

Didn't Yahoo close unused accounts at some point opening the doors to all kinds of takeovers?

Curious what Twitter would do if this was contested later.

If you get domain you can watch for mails from LinkedIn, Pinterest, Facebook, Instagram and many more!

Old news, this has been known for years.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact