Hacker News new | past | comments | ask | show | jobs | submit login

FWIW, https://plus.google.com/people/find

You can find people's G+ profile if you guess the email correctly. I wouldn't be surprised if LinkedIn,Facebook,etc. had the same type of thing. I do think that coinbase-API should be rate-limited or unreplayable, but I'm _much more_ interested in where the email-list input data came from. My email wasn't in this alleged partial list, but if it was I'd like to know where they got my email from to begin with because the source of that email-list is the real problem IMHO.

I will say this though: Coinbase, please make sure there is absolutely no api call that returns banking/CC info!




You can just type emails into the gmail account creation form to get results back on if the username was taken.

This whole debacle is making a mountain out of a molehill.


Do it enough, and you get a CAPTCHA, do it more, and you get banned by IP. I would assume that the limits are set to a point that it's very difficult to enumerate the database in any reasonable timespan.


In an not-yet-authenticated state your code should do everything it can not to tell a potential hacker something they do not already know. Being able to check if an account exists and being able to read of the full name associated with it are not the worst problems in the world (though knowing the full name could make fishing attacks slightly less unconvincing) but if you take the attitude of never telling an attacker anything no matter how innocuous you think the information is then you are less likely to accidentally let something sensitive slip due to a bug.


SMTP's the API for checking if an address exists at any mail provider. Start sending a mail, if the server doesn't tell you there's no such mailbox right then, you can abandon the connection without sending a message through. No CAPTCHAs there either.


Many mail servers delay account checking for that very reason.

They take in all mail - instead of telling the sending MTA that the account doesn't exist the message is accepted and sent to /dev/null. A bounce message may be generated but the automated MTA won't see that as the message will be carrying invalid mail sender information.


Many mail relays, especially spam appliances like Barracuda, will always give an 250 OK to the email address provided to prevent exactly this trick. They then toss as spam or bounce once they get the message.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: