Singletime
2017-04-14 16:29:03 UTC
Hello list,
I am affected by a Kolab security problem:
I was a KolabNow user for some time. In July 2016 I deleted my account. In October 2016, I tested whether it was possible to create a new account with the same email address as before, and surprisingly it worked!
This means that after at most three months someone else could take over the email address of a deleted account. This exposes ex-users to identity theft, e.g.:
a) by replying to mails of contacts that by mistake still use the old address;
b) by catching password recovery emails, when people forget to update their email address in all online accounts.
This problem is already known as the hidden entry https://issues.kolab.org/show_bug.cgi?id=4125: In https://issues.kolab.org/show_bug.cgi?id=4124#c5, bug 4125 is called "the requested functionality of preventing signup for deleted accounts". According to the date of the "neighboring" bugs, this is already known since at least December 2014.
To fix this problem, I suggest that Kolab instances should block addresses of deleted accounts "forever".
I have already contacted the KolabNow technical support about this in November 2016, but they answered: "We cannot reserve email addresses after they've been removed from our systems."
I also told them that I will disclose this problem after a sensible time interval, so that's what I am doing now, such that Kolab users are warned, and Kolab developers are informed.
Best regards,
Singletime
I am affected by a Kolab security problem:
I was a KolabNow user for some time. In July 2016 I deleted my account. In October 2016, I tested whether it was possible to create a new account with the same email address as before, and surprisingly it worked!
This means that after at most three months someone else could take over the email address of a deleted account. This exposes ex-users to identity theft, e.g.:
a) by replying to mails of contacts that by mistake still use the old address;
b) by catching password recovery emails, when people forget to update their email address in all online accounts.
This problem is already known as the hidden entry https://issues.kolab.org/show_bug.cgi?id=4125: In https://issues.kolab.org/show_bug.cgi?id=4124#c5, bug 4125 is called "the requested functionality of preventing signup for deleted accounts". According to the date of the "neighboring" bugs, this is already known since at least December 2014.
To fix this problem, I suggest that Kolab instances should block addresses of deleted accounts "forever".
I have already contacted the KolabNow technical support about this in November 2016, but they answered: "We cannot reserve email addresses after they've been removed from our systems."
I also told them that I will disclose this problem after a sensible time interval, so that's what I am doing now, such that Kolab users are warned, and Kolab developers are informed.
Best regards,
Singletime