i was quite surprised to discover that no one had registered deleteduser [dot] com, and was curious to see how many emails i'd get if i registered it, assuming many orgs 'delete' logic probably just overwrote the email address with blahblah@deleteduser...
-
wow it looks like a major hospitality management platform in europe does this because i just started to get lists of folks and which hotels they are checking in to
good lord people
-
@SecureOwl Considering they can't just use null, what could be an acceptable option? @invalid? Although, to be fair, if they can't just null is because something is validating email, so it might require a TLD. Nah... I guess there is no way to rationalize this.
@qgustavor @SecureOwl One of the domains reserved for testing (effectively) like example.com would do it
-
i was quite surprised to discover that no one had registered deleteduser [dot] com, and was curious to see how many emails i'd get if i registered it, assuming many orgs 'delete' logic probably just overwrote the email address with blahblah@deleteduser.com or similar.
The answer, is at least 3 different orgs in the hour that I've owned that domain and been listening for email.
And yes, all of those emails contain the actual PII of the person who has been 'deleted'
@SecureOwl
What a strange thing for people to do. They could change the email deleted@local or maybe actually delete the data. -
i was quite surprised to discover that no one had registered deleteduser [dot] com, and was curious to see how many emails i'd get if i registered it, assuming many orgs 'delete' logic probably just overwrote the email address with blahblah@deleteduser.com or similar.
The answer, is at least 3 different orgs in the hour that I've owned that domain and been listening for email.
And yes, all of those emails contain the actual PII of the person who has been 'deleted'
@SecureOwl the main reason I don't do well as a pentester is that I never try a lot of things simply because I think "nah, nobody would be that stupid". And then reality proves I am waaaaaaay too optimistic.
-
i was quite surprised to discover that no one had registered deleteduser [dot] com, and was curious to see how many emails i'd get if i registered it, assuming many orgs 'delete' logic probably just overwrote the email address with blahblah@deleteduser.com or similar.
The answer, is at least 3 different orgs in the hour that I've owned that domain and been listening for email.
And yes, all of those emails contain the actual PII of the person who has been 'deleted'
@SecureOwl “””””deleted”””””
-
@SecureOwl we have a top level domain for this at home: .invalid
@SecureOwl at the very least use deleteduser.the-actual-company-domain.whatever instead of a completely foreign domain name anyone can buy
-
@paul_ipv6 @SecureOwl lord only knows what example.com receives
@cw @paul_ipv6 @SecureOwl to train a markov bot on whatever gets mailed to there would be hillarious but probably not a very good idea
-
@SecureOwl I second that
-
@SecureOwl
What a strange thing for people to do. They could change the email deleted@local or maybe actually delete the data.@xinit @SecureOwl or something under
.invalidat leastthough if they know about that they probably know to actually erase the data
also i think deleted@invalid is a valid email (since you can just use an apex domain if you have one lying around but almost nobody does) but i reckon a lot of validation regexes reject it
-
i was quite surprised to discover that no one had registered deleteduser [dot] com, and was curious to see how many emails i'd get if i registered it, assuming many orgs 'delete' logic probably just overwrote the email address with blahblah@deleteduser.com or similar.
The answer, is at least 3 different orgs in the hour that I've owned that domain and been listening for email.
And yes, all of those emails contain the actual PII of the person who has been 'deleted'
@SecureOwl if you wanted you could turn that domain into the next “have I been pwned”, but “have I been not actually deleted”
-
i was quite surprised to discover that no one had registered deleteduser [dot] com, and was curious to see how many emails i'd get if i registered it, assuming many orgs 'delete' logic probably just overwrote the email address with blahblah@deleteduser.com or similar.
The answer, is at least 3 different orgs in the hour that I've owned that domain and been listening for email.
And yes, all of those emails contain the actual PII of the person who has been 'deleted'
@SecureOwl What about userdeleted?
-
@briankrebs @SecureOwl @chetfaliszek oh yesh, I remember that one.
Needless to say I think #DoNotReply-Addresses should be outlawed and using one should get a domain banned until the operators apologize personally…
@kkarhan @briankrebs @SecureOwl @chetfaliszek i think they're fine for automated notifications esp if a reply-to header is given
-
@SecureOwl the main reason I don't do well as a pentester is that I never try a lot of things simply because I think "nah, nobody would be that stupid". And then reality proves I am waaaaaaay too optimistic.
@womble @SecureOwl Sigh, AFAIK the reality is it is extremely difficult if not impossible to brainstorm the lowest (highest?) level of stupid that will occur in the wild. People tend to apply very simple & limited set of responses to everything in their life, and when operating out of their core familiar domains very few will stop to ponder if what works in the dessert might not work in the ocean.
-
i was quite surprised to discover that no one had registered deleteduser [dot] com, and was curious to see how many emails i'd get if i registered it, assuming many orgs 'delete' logic probably just overwrote the email address with blahblah@deleteduser.com or similar.
The answer, is at least 3 different orgs in the hour that I've owned that domain and been listening for email.
And yes, all of those emails contain the actual PII of the person who has been 'deleted'
Up to about 24 different orgs now, overnight had some emails containing PII of 'deleted' users from a:
UAE based Gym Chain
South African HR Platform
EU based Hotel Reservations Platform
India based Delivery Serviceand best of all
US based Antivirus Manufacturer and Cybersecurity Provider
-
Up to about 24 different orgs now, overnight had some emails containing PII of 'deleted' users from a:
UAE based Gym Chain
South African HR Platform
EU based Hotel Reservations Platform
India based Delivery Serviceand best of all
US based Antivirus Manufacturer and Cybersecurity Provider
-
i was quite surprised to discover that no one had registered deleteduser [dot] com, and was curious to see how many emails i'd get if i registered it, assuming many orgs 'delete' logic probably just overwrote the email address with blahblah@deleteduser.com or similar.
The answer, is at least 3 different orgs in the hour that I've owned that domain and been listening for email.
And yes, all of those emails contain the actual PII of the person who has been 'deleted'
@SecureOwl HA!
GDPR is a joke. Over under on how many of these companies face repercussions?
-
i was quite surprised to discover that no one had registered deleteduser [dot] com, and was curious to see how many emails i'd get if i registered it, assuming many orgs 'delete' logic probably just overwrote the email address with blahblah@deleteduser.com or similar.
The answer, is at least 3 different orgs in the hour that I've owned that domain and been listening for email.
And yes, all of those emails contain the actual PII of the person who has been 'deleted'
@SecureOwl@infosec.exchange Maybe we should also check deletedaccount
-
Up to about 24 different orgs now, overnight had some emails containing PII of 'deleted' users from a:
UAE based Gym Chain
South African HR Platform
EU based Hotel Reservations Platform
India based Delivery Serviceand best of all
US based Antivirus Manufacturer and Cybersecurity Provider
-
M monkee@other.li shared this topic
