i was quite surprised to discover that no one had registered deleteduser [dot] com, and was curious to see how many emails i'd get if i registered it, assuming many orgs 'delete' logic probably just overwrote the email address with blahblah@deleteduser...
-
@SecureOwl
What a strange thing for people to do. They could change the email deleted@local or maybe actually delete the data.@xinit @SecureOwl or something under
.invalidat leastthough if they know about that they probably know to actually erase the data
also i think deleted@invalid is a valid email (since you can just use an apex domain if you have one lying around but almost nobody does) but i reckon a lot of validation regexes reject it
-
i was quite surprised to discover that no one had registered deleteduser [dot] com, and was curious to see how many emails i'd get if i registered it, assuming many orgs 'delete' logic probably just overwrote the email address with blahblah@deleteduser.com or similar.
The answer, is at least 3 different orgs in the hour that I've owned that domain and been listening for email.
And yes, all of those emails contain the actual PII of the person who has been 'deleted'
@SecureOwl if you wanted you could turn that domain into the next “have I been pwned”, but “have I been not actually deleted”
-
i was quite surprised to discover that no one had registered deleteduser [dot] com, and was curious to see how many emails i'd get if i registered it, assuming many orgs 'delete' logic probably just overwrote the email address with blahblah@deleteduser.com or similar.
The answer, is at least 3 different orgs in the hour that I've owned that domain and been listening for email.
And yes, all of those emails contain the actual PII of the person who has been 'deleted'
@SecureOwl What about userdeleted?
-
@briankrebs @SecureOwl @chetfaliszek oh yesh, I remember that one.
Needless to say I think #DoNotReply-Addresses should be outlawed and using one should get a domain banned until the operators apologize personally…
@kkarhan @briankrebs @SecureOwl @chetfaliszek i think they're fine for automated notifications esp if a reply-to header is given
-
@SecureOwl the main reason I don't do well as a pentester is that I never try a lot of things simply because I think "nah, nobody would be that stupid". And then reality proves I am waaaaaaay too optimistic.
@womble @SecureOwl Sigh, AFAIK the reality is it is extremely difficult if not impossible to brainstorm the lowest (highest?) level of stupid that will occur in the wild. People tend to apply very simple & limited set of responses to everything in their life, and when operating out of their core familiar domains very few will stop to ponder if what works in the dessert might not work in the ocean.
-
i was quite surprised to discover that no one had registered deleteduser [dot] com, and was curious to see how many emails i'd get if i registered it, assuming many orgs 'delete' logic probably just overwrote the email address with blahblah@deleteduser.com or similar.
The answer, is at least 3 different orgs in the hour that I've owned that domain and been listening for email.
And yes, all of those emails contain the actual PII of the person who has been 'deleted'
Up to about 24 different orgs now, overnight had some emails containing PII of 'deleted' users from a:
UAE based Gym Chain
South African HR Platform
EU based Hotel Reservations Platform
India based Delivery Serviceand best of all
US based Antivirus Manufacturer and Cybersecurity Provider
-
Up to about 24 different orgs now, overnight had some emails containing PII of 'deleted' users from a:
UAE based Gym Chain
South African HR Platform
EU based Hotel Reservations Platform
India based Delivery Serviceand best of all
US based Antivirus Manufacturer and Cybersecurity Provider
-
i was quite surprised to discover that no one had registered deleteduser [dot] com, and was curious to see how many emails i'd get if i registered it, assuming many orgs 'delete' logic probably just overwrote the email address with blahblah@deleteduser.com or similar.
The answer, is at least 3 different orgs in the hour that I've owned that domain and been listening for email.
And yes, all of those emails contain the actual PII of the person who has been 'deleted'
@SecureOwl HA!
GDPR is a joke. Over under on how many of these companies face repercussions?
-
i was quite surprised to discover that no one had registered deleteduser [dot] com, and was curious to see how many emails i'd get if i registered it, assuming many orgs 'delete' logic probably just overwrote the email address with blahblah@deleteduser.com or similar.
The answer, is at least 3 different orgs in the hour that I've owned that domain and been listening for email.
And yes, all of those emails contain the actual PII of the person who has been 'deleted'
@SecureOwl@infosec.exchange Maybe we should also check deletedaccount
-
Up to about 24 different orgs now, overnight had some emails containing PII of 'deleted' users from a:
UAE based Gym Chain
South African HR Platform
EU based Hotel Reservations Platform
India based Delivery Serviceand best of all
US based Antivirus Manufacturer and Cybersecurity Provider
-
M monkee@other.li shared this topic
