Hacker News new | past | comments | ask | show | jobs | submit login
How not to send password reset notification email (scriptogr.am)
200 points by slaven on Mar 3, 2013 | hide | past | web | favorite | 40 comments

In their Security Notice they write "Never click on 'reset password' requests in emails — instead go directly to the service". And after I changed my password I received confirmation email saying

"This email confirms your recent Evernote password change.

If your Evernote password was changed without your knowledge, then please click the link below to change it again:" And big "Reset Password" button.

A bit funny as they just told me to never click on something like that.

It's a test.

This is more generic: if you do link tracking in your email, do it through your own domain, it's really not that hard, and urls that go through some other business are a huge red flag.

Personally, I probably cut people a bit of slack by going through whois to check if the domain belongs to some well-recognized mass mailer, but I wouldn't blame the MUA for just spamming anything that mentions a "login" along with a domain that isn't a descendant of the sender's domain.

Trusting whois data isn't a good idea. With most registrars you can write into those fields whatever you want. Just because a domain tells you it belongs to someone, doesn't actually mean that it belongs to this person.

Well, yeah, it's generally a first step — last few cases were Kickstarter-related campaign stuff, so I could look for evidence that they actually sent it, and then hope it's actually that thing. But this just goes further to illustrate that this is a really bad idea — there is good way to validate such an email.

It's rarely up to a developer. For websites with large email campaigns there's usually a third party system, which has some link tracking feature. And guess what, your marketing department is using it, and they don't want to switch to your custom one (which will take a few months to code, debug, implement all kinds of reporting compatible with what they do now).

In this case one could simply write a script that forwards the request from your own domain to the third party system. It could be done on the server in such a way that the user would never leave your own domain:

1. User clicks http://links.example.com/?redirect=example.com/reset_passwor...

2. The server running on links.example.com makes a request to the third party web server

3. The server redirects the user to http://example.com/reset_password

If doing this, it'd be critical to ensure the redirection script only redirects to example.com, otherwise a phisher could use it. Probably safer to have it only take a path actually

If the server running on links.example.com, wouldn't the 3rd party web server lose out on doing things like setting cookies in the client's browser or determining their rough location via IP address?

Not that I'm particularly a fan of either practice, but there's probably some use cases there that would have to be accounted for in some way that the 3rd party service could accommodate.

If that were needed perhaps links.example.com could display an iframe containing the third party site.

I agree that neither approach is ideal, but it would prevent users from receiving third party links in their emails.

Those cookies would be blocked for browsers with 3rd-party cookies disabled, and Firefox is making that option the default at some point in the near future.

Going to mkt5371.com (the domain in the tracked link) gives you a static landing page with a abuse@silverpop.com contact. This tells me one of two things:

1) Silverpop doesn't have an option to disable tracking for specific links included in emails sent from their system or

2) The person creating the email failed to take advantage of this feature.

If Evernote wanted to take advantage of this feature on purpose in order to determine what percentage of their userbase has reset their password, then I'm baffled why they decided to trust a 3rd party lead management system instead of the updated_at fields in their database.

Either way, the whole point of purchasing Silverpop is that you can avoid having to code your own solution.

You would have to know the URL on the third party server to redirect to. And usually, you don't, because they are generated internally by some pre-processor.

Why can't you automagically redirect from mkt5371.evernote.com/anything to links.evernote.mkt5371.com/anything ?

Better yet, simply point your DNS "passwordreset.evernote.com" to the same server.

Because you don't know what that "/anything" is, only your mailing system does, and it converts links in your email template to these mkt5371-type links right before it sends out the email.

Why do I need to know anything at all about the link structure beyond the domains?

If the user requests (from a link in the mail) "mkt5371.evernote.com/foo123", redirect to "links.evernote.mkt5371.com/foo123"; If they request "/bar456?id=asdask", redirect to the same query under the mailer's domain.

I would have believed you if I weren't working for a website with large emails campaigns. And this comment wasn't even aimed at "the developer", not really — but at anyone involved in decisions like this.

Three years ago, 37signals wrote an email saying all users would have to pick new user names and passwords (I guess changing to a single sign in across all apps).

It was fairly well written, but I swore it was an elaborate phishing scheme. Here is an example of one of the URLs they used: http://37signals.cmail4.com/t/y/l/uiulli/kkulljtjr/d

Now looking back, it's clear they were simply using a redirect URL to track clicks, but I had no clue. You can't even go to cmail4.com without getting an error and no description about what the service is.

I didn't even get the email from evernote regarding the password reset.

Luckily, I had the evernote app sign me out and asking me to login again (which didn't work with my old password). I had to login through the website and it prompted me to change my password (no link on why) and then it worked with the new password.

I searched through my email trying to see if any email got eaten by the spam folder, but none, "No emails".

I have a feeling they're sending them in batch emails. I just got mine this evening after a lot of other people.

Just an interesting tidbit I noticed: I received several of these mails from Evernote, as I have multiple accounts (including some I set up for others).

Up until about 28 hours ago (4AM March 3 in Japan), all the embedded links were the bogus, phishing-esque URLs that the OP complains about.

As of 22 hours ago (10AM March 3 in Japan), the emails look the same, but all the links point to http://evernote.com.

So at least somebody at Evernote did notice (or read this post or respond to similar complaints), and correct the situation in the middle of their 50,000,000-user email campaign.

That is really good to hear - all it took was probably a single checkbox in their email marketing software to not rewrite all emailed links.

Couldn't Evernote just use a CNAME record on a subdomain that pointed to mkt5371.com? I know that's how the SendGrid click tracking app keeps the links on your domain (http://sendgrid.com/docs/Apps/click_tracking.html)

Not if the domain is always different. I've seen transactional email providers who will give you a different domain or subdomain for each email and it's all real random. I'm currently using Mandrill and I haven't checked if its true for them but I know its true for others.

That's a fairly arbitrary engineering decision, though. Using a CNAME for link tracking seems like an obvious use to accommodate, and you'd think providers would build their services with that in mind, or at least be able to tweak them once a demand presented itself.

Quite moronic of Evernote.

HTH is J. Random User supposed to figure out that mkt5371.com is a service hired by evernote.com? A minimally alert user would click the Report Phishing button upon mousing over.

By including a link that happens to do the right thing, Evernote is conditioning its users to succumb to phishing in the future.

I got a reset message from Evernote, and I didn't even remember that I had an account. I must have tried it for my typical 30 seconds to conclude "meh" and moved on, then forgot it. I'm still not 100% sure what they do beyond ... note taking?

But I initially assumed it to be ballsy phishing, a brazen attempt to capitalize on Evernote's current trouble. Why? BECAUSE IT HAS A FUCKING LINK TO THE SERVICE IN THE EMAIL! That's the very minimum definition of phishing. Sheesh!

I hovered over it, saw that it was to evernote, but hovers can be faked, and my intuition and experience told me that this smells like phishing no matter what. Sheesh.

Synchronized note taking. That part's nothing too special. The killer feature for me is they do OCR on your uploaded pictures, which makes saving whiteboard drawings and back-of-napkin diagrams a breeze, or for snapping pics of business cards and then having searchability over the contents.

Great points and something I've been studying and trying to perfect myself for my own service. So while I couldn't agree more with the author's position, I think the unfortunate reality is that there's only a very small minority of users who would know any better anyway. It's mostly just people like us would know better. Everyone else would just click because there are no spelling or grammar errors and the email is branded properly.

This raises the question of how to educate users. I think we may be confusing them. I don't know about everyone else, but I teach non-technical people not to trust emails that ask you to reset your password when you didn't initiate the action. I always teach, as many of us do I think "don't click links in emails unless you know the sender personally or have requested the link" but then in cases like this we have to go back on that statement and say "well this time it's okay" and while we have really good and logical reasons for why, I don't think we can expect non-techies to understand it. To them it sounds like a contradiction, like "don't click links in emails except when I say it's okay". Then even if you teach people to check where the links are going (good luck) you've got to also teach them about domains, subdomains, and maybe even query strings. It's just a huge mess and I'm at a loss for how to educate people when it comes to a situation like Evernote's regardless of having link tracking or not.

worst cases of emails I have gotten are from Sony. For example, Planetside 2 beta acceptance letter came from info@e-sonyonline.com and without ANY personal information. It was the most generic official letter I have received. Link to download PS2 was also from link.e-sonyonline.com. I disregarded it first, only after a while, discovering it was genuine. And a lot of people are having doubts about this aadress, just google it.

Also, their password reset letter comes from something like contact@p7s1games.net. I usually disregard everything like this automatically. Luckily reset link is planetside2.eu.

Offical email should never include links (unless it's signed, but what is?), the potential for trouble is just too great. I had this exact same problem back in 2003 from a financial company. I wrote them a serious email telling them just how dangerous it is to teach your users that it's OK to click on links that don't even go to your domain in random emails. I even showed them how easily I could create a phishing site.

The person who organised the email drop clearly got some hassle over it and sent me a response personally, but clearly still did not understand the problem.

I guess here Evernote figured any instructions they sent would have resulted in a link being sent anyway, so why not just send the link and ensure a higher shot off compliance.

They seemed to have forgotten about phishing.

Some sites have taken to including in such emails account information that presumably only the company would know (such as part of the account number) along with the name. I know of at least one bank that does this. The idea, of course, is that the user can then verify that it must be coming from the company.

This can be reassuring when the email is legit, but the problem is that it requires the user to remember for subsequent emails that such information should be present. So, if a phishing attack comes, will the user stop and think, "hey, where is the personal account info?" Some will, but many won't. I mean, if a user can't be trusted to follow a simple set of instructions (thus needing links), then how can he be expected to remember the security policies of every company for which he is a customer?

Not to mention that most email has roughly the same security level as a postcard. There are a lot of personal details that I wouldn't want written on a postcard.

Not to mention the fact that lots of 'personal information' is not in fact private, e.g. date of birth (one of my financial accounts uses date of birth), mothers maiden name, social security number, etc.

True that. I often think of how many services ask for the same info as "security questions". By definition, if there's a "standard" set of such questions, it's not secure.

I also hate when unsubscribe from spam is on a different domain than the business, using a 3rd party email/marketing company. And I hate how "enter your email to confirm unsubscribing" is pretty common.

If I can't opt-out of a mailing campaign by just clicking a link, I'll invariably mark it as spam.

I was disappointed by this headline. After resetting my Evernote password this morning, I was looking forward to reading about a new technique that would allow me to avoid password resets in the future. Oh, well.

Is anyone working on such a thing?

(While I'm thinking of it, wordpress.com's password reset should be shot. I get several emails a day because it allows resets by username instead of email or username+email. This whole password issue needs some better minds assigned to it.)

Should also be using SSL so querystring is encrypted.

It's in an email message, which has probably already made several hops in the clear, so that's probably a lost cause if they're looking for actual security, but a nice idea, I guess.

True, but getting everyone on signed/encrypted email is a much more massive undertaking than just sending an https link.

To your point, as long as straight SMTP is involved, there will always be a gaping hole. But, sending https links is a very cheap way to prevent making the hole even bigger.

Anyway, all of this underscores the fact that virtually nothing that Evernote did was secure. But, most companies probably wouldn't have done much better.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact