10 Popular Websites That Compromise Your Email Address
1. Introduction
Three months ago, the database of a website called “Ashley Madison” was attacked, which resulted in the leak of a massive amount of data, including the email addresses of its members. Even though this kind of incidents tend to be quite common these days, what makes this case so “special” is the fact that this website enabled people to cheat on their partners… (I’m not kidding, their motto is “Life is short. Have an affair.”).
As you can guess, potential adulterers didn’t appreciate that the email list was publicized — for obvious reasons, and it even lead to some very tragic consequences. Some of those who weren’t afraid to reveal that they had an account there, confirmed that their email address was on this list, thus unofficially declaring the list authentic. This caused a lot of trouble for many, including, however, certain people who were implicated without actually having an account there.
You see, Ashley Madison let members use the website without forcing them to verify the email address they had entered when they registered. Even if the actual owner of the email address eventually received a message from the website, this could easily end up in their spam/junk folder, or just get ignored and deleted. You will find that some of the places still offering this notorious list state: “the accuracy of the data is not guaranteed” because of this.
However, as the saying goes, “a single lie destroys a whole reputation of integrity”, so you would think that, after all this, websites would be more careful with the way they use email addresses as a form of user identification. You would think that… but it wouldn’t be true.
2. The Experiment
I used alexa.com (a website that ranks other websites based on their traffic), in order to find the Top 50 most popular websites in the world right now (according to Alexa). I then removed from this list:
• all the websites that offered email services (-21)
• all the websites that I couldn’t understand, e.g. in Chinese or Russian (-9)
• all the websites that force you to have a mobile phone to register (-3)
• all the websites that didn’t let users create an account at all (-2)
This left me with 15 websites where I could create an account with my email. The goal of the experiment was to test whether I could log in and use them, without ever verifying my email address. As the spam sites usually say: “the results may shock you”.
• 1 website completely prevented me from using it unless I verified my email
• 4 websites allowed me to enter and use a few sections, but not everything
• 10 websites let me use them without restrictions, as if I were a normal user
Full results follow (with a mild dose of humor to lighten up the mood).
3. The Results
AliExpress.com = Nope!
Believe it or not, this website was the only one that completely prevented me from using it unless I verified my email address. I would have to enter my mailbox and click the link they sent me in order to finalize my registration. Nicely done China.
Amazon.com = Yeap…
I was able to create an account and even purchase a free Kindle e-book..! What’s the rush Amazon? The new user can spend an extra minute verifying their email address before they buy that last signed copy of “50 Shades of Grey”.
Apple.com = Uum, yea, kinda
This one is only a bit of a “yes”, because, even though I could login and use all the pages, it asked for a credit card to actually do anything useful (even to download free e-books!), so I stopped there. Anyone with an unverified Apple ID who’s using Apple Store? Tell me in the comments below.
eBay.com = Another “yeah, kinda”
Same thing as above: I could log in and use all the pages, but (of course) it asked for payment details in order to bid. Anyone with an unverified eBay account who’s bought things?
Facebook.com = Yes… so much yes…!
Facebook is one of the worst offenders. Anyone can create a Facebook account using anyone’s email. Even if you go ahead and delete that account, this can be repeated; again and again. The only way to actually prevent this from happening all the time is to… create a Facebook account for yourself! Make sure you disable it afterwards though, otherwise FB will consider you as part of its “monthly active users” during their next business valuation…
IMDB.com = Just a bit
You can do a few things here but, in order to become an all-knowing troll, erm I mean critic, you need to verify your email. Better than nothing I guess.
imgur.com = Come right in!
The doors are wide open! Come and share your dank memes, press lots of like/dislike buttons and post quirky comments. We’ll worry about verifying you later!
LinkedIn.com = Yea, um, I mean, no
There are certain LinkedIn profiles that are blocked to outsiders and can only be viewed if you have a LinkedIn profile yourself. Well, fear no more! By creating an unverified LinkedIn account you can view them; no questions asked! You will only need to verify your email if you actually want to connect to them. Better late than never, I suppose, but it could be even better LinkedIn…
PayPal.com = Do come in, but place your wallet here first
Yes, you can enter but no you can’t use the money services. This could be helpful if, for example, you made a typo and wanted to correct your email address, but I still believe that forcing the user to access your website for the first time via an emailed link is the safest way to proceed.
Pinterest.com = <b>Yes!</b>
We will keep showing you this annoying message in broken HTML, informing you that you need to verify your email but, meanwhile, feel free to fully use our website and pin your favorite ads, I mean fetishes, I mean pics lol autocorrect!
reddit.com = As Yes As It Goes
I had no idea until now but, believe it or not, reddit doesn’t need you to link your account to an email address — at all! The email field is optional! I hope this puts into perspective a few things about the website. In any case, if you actually do submit an email address, verification doesn’t really matter; you can use everything — just like non-email users.
tumblr.com = Yes, come in! (don’t let that Y! scare you away)
You can enter and fully use the website just like any other user. There is an annoying message that politely reminds you to verify your email, but that’s about it. Hipsters can’t be bothered with verifications!
Wikipedia.org = As Yes As It Goes #2 — The Return
Another website where the email field is optional. If you submit an email address and not verify it, you have the same access rights as those who haven’t submitted one at all, and, more or less, as those who haven’t even registered, so… yeah.
Wordpress.com = Come in but shhhh
Even though you can login, create a blog and write some posts in “draft mode”, you can’t officially publish them for everyone to see until you verify your account. That’s one way to force your users to verify I guess, but they still get to reserve a blog address/name that they can’t really use Wordpress!
X*****S.com = Uumm, yea..?
In the name of scientific research, I created an account on this website that probably needs no introduction and is definitely NSFW (hence the asterisks). Currently ranked #47 on a global scale by Alexa, this website gives you full access without enforcing email verification. Another Ashley Madison risk, if you ask me.
Do you know of any other such websites? Feel free to add them in the comments!
4. Conclusions
So, to put things into perspective, if you mistype your email address or if you deliberately use someone else’s instead, you may get access to some of the aforementioned websites — but it won’t be “real”. The true owner of that email address could click that verify link and take over your account at any time. Even if they lose the email with that link, they can still reset your password (it will end up in their mailbox anyway) and “evict” you from “your” (=their) account, so it’s not worth the risk (unless your goal is to implicate them on purpose — shame on you!).
If you are the owner of that email address and you receive any such messages about website registrations you didn’t request, a) first make sure that the link is authentic (it could be spam or a virus) and then b) cancel or invalidate that account creation as soon as possible. In cases such as Facebook, you may even need to create an account yourselves (even if you don’t want to use it) and then disable it, letting it act as a “placeholder”, so that no one else will be able to claim it as their own ever again. Whatever you do, do not ignore that verification email.
Finally, for anyone who claims that “This works as intended”: you may need to rethink your business logic. Verifying an email address takes seconds these days. Sacrificing basic security to avoid minor inconvenience is not worth the trade-off.
Konstantinos Gkoutzis
https://kgk.gr
[T] — [L]
PS: I wonder how many of these websites would let users in if the email address didn’t even exist. Ah well; “Future Work”.
