undefined | Better HN

0 pointskornnflake13y ago0 comments

That's not your mailaddress in the URL. It's like a password to access the inbox later :)

0 comments

5 comments · 2 top-level

chockablock13y ago· 3 in thread

Hmm... But why should the 'password' URL be so similar to the mail address. Doesn't this mean that if I know your mail address, I can fairly easily guess the secret URL to let me see that inbox?

(Granted that in the most common use case, if I know the email address, I probably know what's in the inbox, since I am likely the person who sent the message. But still, why not make these 2 different random strings?)

A couple more examples: 1QjYwHNM vs 1QjYwHOc 1Qk07A9x vs 1Qk07A9X

nwh13y ago

Yeah, the developer is going to want to fix that quick smart. At a complete guess they are two strings being generated in quick succession from the same seed, and they both happen to be very close. End result is that I can guess your email.

Sami_Lehtinen13y ago

Also email addresses are in really tight set and easily guessable. So that system should be fixed in general. Not just for address / password issue. But also getting proper address distribution.

chockablock13y ago

Addresses and URLs seem to be timestamp strings that change every microsecond, with the URL code being generated just before the email address. This makes it trivial to read someone's mail if you know their address.

You can verify this by repeatedly clicking 'Delete this address', which issues you a new mail box. The address string can be thought of as a number that is always incrementing, with the 'digits' drawn from [0-9a-zA-Z]. (So base 62.)

The URL number is always (sample size ~100) just a little smaller than the email number, but not by a consistent amount. Often about 20-30 steps away, but sometimes as much as 600 steps away (depending on server load?).

The number seems to be generated by a clock rather than a counter, since the rate at which the counter increases is very steady. The 5th digit from the right increments every 15 seconds, suggesting that there are (62^4)/15 ~= 0.99 million unique strings per second. Maybe the counter is just using the time in microseconds, and converting it to a string?

Issues raised:

1 - If I know your address, I can now guess the 'secret' URL to read your mail in a trivial number of guesses (certainly less than 1000). There doesn't seem to be any throttling of attempts on server side (I was able to manually cycle through ~30 invalid URLs fairly quickly).

2 - Email addresses 'leak' the time that they were created. (Not a clear security risk, but could be problematic in some cases)

3 - As Sami_Lehtinen says, addresses are guessable based on signup time, but given that these are disposable addresses, I'm not sure that's a big problem (who cares if a spammer guesses it). Also, even if there is a new user signing up every second, the success rate for guesses will be 1E-6.

1 more reply

aaronpk13y ago

Cool, thanks.

j / k navigate · click thread line to collapse