At some point in time we decided that email addresses control the keys to the kingdom. If you lose access to your email, there goes your social media accounts, your bank accounts, your gaming accounts, and potentially many of your commercial accounts as well.<p>And then we decided that custom domains are the most professional. Which does make sense, there can only be one 'robert@gmail.com'. But, this is coupled with the idea that domains can expire, and that expiry does not appear to kill the identity that's potentially associated with the domain.<p>We should not be using email addresses as our primary source of identity verification in the first place. And we definitely _should_ have some way to globally declare that an identity has been compromised. Especially given our society's track record of keeping database safe from breach.<p>I more or less assume it is inevitable that one of my major accounts will be compromised, and that this will be able to cascade into most of my major accounts being compromised. I do what I can to protect myself, but gmail as a single source of failure makes me nervous. Using any email provider besides gmail makes me even more nervous, because they don't have the full power and knowledge of Google protecting their databases.
This domain hijacking idea reminds me of an incident with Google I discovered a couple of years ago that landed me a bug bounty with them. I found out they created email logins with a not-registered domain for their candidacy account. I ended up registering that domain and "sold" it back to them in good faith. At least I can die with a smile on my face -- I once sold Google a domain.<p>details: <a href="http://www.tnhh.net/posts/gcandidate-who-is-interviewing-with-google.html" rel="nofollow">http://www.tnhh.net/posts/gcandidate-who-is-interviewing-wit...</a>
Even though they show the starred email address and one of the suggestions is not to show the email, I really hope people don't do that.<p>There is nothing more frustrating when you're recovering your password and the site says we have sent you an email with no hint where and even worse sometimes they say "if that email was in our records then you should get the link" and you're wondering did that work and #1 worst is after making me solve 10 traffic lights and zebra crossings.<p>Because at that moment I feel it's just easier to start over and create a new account.
This was a common way to harvest 6-digit ICQ numbers back in the day. Hotmail, MSN etc. had expiring email addresses as well that you could register to reset the password to the ICQ number.
> I believe it accounts for a large portion of stolen accounts/handles on the platform.<p>I doubt it's a large portion. It costs money for each hijacked account, and custom domains I would assume are only used on a tiny fraction of accounts. The vast majority of stolen accounts I would attribute to credential stuffing.
What would be a universal solution to this problem? The only thing I can really think of is platforms not allowing custom domains for connected email accounts, but that seems sub-optimal.
This isn’t the workflow I see when trying the password reset process on an old account that I’ve recently tried to recover. I’ve forgotten both the password and the email address associated with the account, but I know the domain I would have used, and I own it so I could easily prove ownership of the email address if I knew what it was.<p>But when I click Forgot Password, it asks me for my username and also the email address before I can continue.<p>How do you get the email address hint like the article shows?
One has to wonder about sustaining access to a compromised account. Twitter in my experience has been very aggressive in asking to verify my account with a phone number when logging in from shady locations / with a VPN. What if you get access to an account using the method described in the article, but then days later get locked out due to suspicious-looking behavior / you don't have access to the phone number used to register the account?
Anyone else have people sign up for accounts with your email address? I had one recently where I could access a working GrubHub account for a while. And in the spirit of lame on-boarding optimization and “churn” prevention, while I could have used it - I couldn’t cancel the account. That required the phone number associated.
This is how I used to get all kind of old ICQ numbers back in the 90s. Hotmail addresses, back then, used to expire.<p>Ironically enough, I've been vulnerable to the described attack afterwards as I had my own domain, didn't use it much anymore, and gave it away (to a band with the same nickname). Back then, a domain was pricey, and I was poor, so...
i dunno how this got to the front page. this is an extremely old vector and not even that effective given the tiny, tiny likelihood of finding a domain or account that works., It would actually be cheaper to buy an old twitter account from someone who does not his account anymore legit, than try to go through millions of accounts, which requires tons of proxies and other evasion methods. Twitter is not easily searchable and neither is google. Twitter has extreme rate-limiting measures, so you need a lot of proxies for this to work and those cost money.
> This attack can potentially be executed on other platforms besides Twitter, assuming one can find a similar discovery method<p>You don’t need another discovery method after you take their Twitter account and email :)<p>Only for targets not on twitter.<p>My point is that Twitter is probably enough.<p>But if you really just want to compare domain names that are expiring to email addresses, you can just use one of those business bots that spammers, recruiters and sales people use, and just check emails in their database to domains expiring.
My wife and I started up a small reselling business, based on our name. The dotcom for it was previously owned, but they let the domain lapse, but they still have the Twitter account (that has the web address we now own in their profile; they haven't posted since 2016). I tried an approach similar to the article, but they apparently used Gmail to set it up. (I reached out to them to buy it to no response; I assume that Twitter account has been orphaned)
What if we could have services encrypt their emails sent to us via pgp? eg Twitter (or anything else) asks for your public key and then sends all future emails using it.
I've thought about this in terms of people passing away and the domain no longer being renewed afterwards.<p>10 years limit on domain registrations seems ridiculous, we need lifetime-span registration capabilities, at least.
This has been standing practice for a while and is not connected to just Twitter. Sometimes you can find public NDR's online via bug reports and such and easily grab a service account.
Heh. I did something like that: <a href="https://xach.livejournal.com/227751.html" rel="nofollow">https://xach.livejournal.com/227751.html</a>
On the plus side, it's heartening to learn enough people use non-GMail/Outlook/Yahoo/WhateverSilo email addresses to make such an attack viable :)