I was using a site today that has a “security” procedure that is so poorly designed, that I thought it was worth discussion. When it comes to aspects of security, I believe it is a good idea to publicize wrong approaches widely, so that those implementing web sites will learn not to take that approach. Let this be a lesson.
I run a website for a local non-profit organization. Being a voluntary position, the the job of managing the web site has been passed through many people over time. I checked into the account for the domain registration, and it still had the email address of the last person who did this job, a couple years ago. I set out to change this to an email address that I receive email at. This is where something very surprising happened: a confirmation email was sent to the OLD email address, asking to confirm the change. Keep in mind, that the account has a username and password that actually protect the account, and the email address is used only for notifications.
Normally when you change an email address, the service will send an email message to the NEW address, requesting confirmation. This is important for several reasons:
- it confirms that the email address is being delivering to a valid email inbox,
- it confirms that the correct email address was not entered for the person requesting the change, and
- avoids the possibility that the company unwittingly participates in spamming an unsuspecting person because someone enters the name of someone else they want to spam.
These are the reasons for sending a confirmation message.
What this Service Did
The service sent a confirmation message to the OLD email address, asking whether the change was requested. The result was that the old volunteer, who has not had anything to do with the account for years, received an email asking for confirmation of something they did not do. I happen to still be acquainted with that person, and so he forwarded the email to me, and I was able to complete the change, but it occurs to me that there is a huge potential for problems.
That user no longer has access: The email provided a link for the former user to click on, but in order to complete the confirmation, that user has to enter the correct username and password, something they did not have.
Dead Email Address: Consider the case where old address is to an email server that is shut down or otherwise no longer in service. In this case, the email confirmation is never delivered to anyone, and there is no way to get the confirmation. You are stuck without any way to change the email address to a valid account.
Abandoned Email Inbox: Similar to the last, if a user abandons an inbox, for example because they leave a particular organization, then the inbox is effectively dead, only there is no email bounce message. A company email address typically is NOT forwarded to a new company when a person changes position, and usually that person has no access to the old account. Like the dead address, there is no way to receive the confirmation message.
No verification of new address: At no point was I required to prove that the new address worked! If I had entered that email address incorrectly, and confirmed at the old address, then I would be completely stuck. All email would be delivered to an incorrect address, and there would be no way to change it.
Why this is an Egregious Mistake
The flaw in the logic is thinking that the old email address is equivalent to current user. There is no guarantee that the user is equivalent to the email address. There are many situations where the email address might no longer deliver to the current user, and many situations where it delivers to entirely the wrong user. It is a huge mistake to think that adding an extra security step is adding security. It is at best entirely irrelevant, and at worst a big problem. If the user still can receive email at that address, then the confirmation is easy and the user is no better protected against harm. However, in the event that the email is not retrievable by the current user, the effect of the confirmation is only to prevent them from correcting this situation.
The security of the system is provided by the username and the password. Access to the system is guarded by that, and all aspects of the account are guarded and controlled by that username and password. The account could be canceled by that username. The account could be changed to be entirely different, possibly much more costly. If someone hacked into the account, the inability to change the email address does not prevent the hacker from doing harmful things at any magnitude. Adding a duplicate precaution does not increase the security.
I can’t think of one single reason that the confirmation should go to the old address. As far as I can see, this is simply an inability for the site designer to think through elementary scenarios. However, help me out if you can see a reason to do it this way.
In conclusion, I believe that the designer of this system simply did not think through the possible scenarios concerning WHY they asking for a confirmation email. Perhaps they were told to implement a confirmation email, and simply did not understand why this was important, so they used the old address thinking it was more “secure”.
In a nutshell: those implementing systems: you want to confirm every new email address added to the system to be sure it works correctly, and that the person who requested the change gets the email there. But if you log in with username and password, there should NEVER be a limitation on getting rid of an old email address. A courtesy message to the old email warning them of the change should be sufficient.
After posting this I found another extension to the story. It turns out the the person who had this job before me had a similar problem: the person before him had abandoned his account at the ISP and the email inbox that went with it. He tried all the official routes to change the email address on the account, but no avail: without receiving that email he was NOT going to get to change the email address.
It turns out that that particular ISP recycles user names after a period. So after a year had gone by without any luck, he signed up for that ISP requesting the same user name that the previous person had, and got that person’s old email address! Armed with access to that old email inbox, he was able to receive the “security confirmation” and change the setting to his current email address.