Friday 28 January 2011

Quora login exposes names and photos

When Quora went live a few weeks ago, I was one of many who rushed in to sign up for an account and see what all the excitement was about. It describes itself as "a continually improving collection of questions and answers created, edited, and organized by everyone who uses it". Sounds like a nice idea, but I haven't really used it enough to gauge how useful it actually is.

I thought I'd change that, so I revisited quora.com today to give it another go, but the first thing that struck me was the default behaviour of the login form.

As soon as you enter your email address into the login form, it automatically displays your full name and profile image. This is not dependant on cookies or location – anybody in the world can do this with your email address in order to find out what you look like, and what your full name is. They don't even need to be registered with Quora to find this out.

The login form posts the email address in an XMLHttpRequest to http://www.quora.com/webnode2/server_call_POST. If that email address is registered on Quora, the server responds with the name and photo from the corresponding Quora profile. I consider this both a security and a privacy problem.

Armed with just your email address, an anonymous attacker can:

  • Determine whether you are registered on Quora.
  • Map your email address to your full name – very useful for phishing.
  • Discover what you look like.

I don't think many Quora users would expect their details to be exposed in this way, and at least not to people who haven't even registered to use Quora. It is worth noting that Facebook also reveals names and photos after a few failed login attempts, but only after a CAPTCHA has been solved (thus preventing large scale automated abuse)

But what are the real security implications? Phishing victims are more likely to fall for scams if a phishing email contains the victim's full name. Indeed, genuine emails from PayPal even offer this piece of advice in the footer:

How do I know this is not a Spoof email? Spoof or 'phishing' emails tend to have generic greetings such as "Dear PayPal member". Emails from PayPal will always address you by your first and last name.

Obviously that's not safe advice.

18 comments:

  1. That behaviour doesn't really conform to their own Privacy Policy! "Quora may share your personally identifiable information with third parties for the purpose of providing the Service to you. If we do this, such third parties' use of your information will be bound by this Privacy Policy."

    ReplyDelete
  2. I made the mistake registering to post an answer to a question on quora, and I now regret it and am mad for having given out my personal email address while registering instead of an anonymous one like I usually on sites that appear less trustworthy. Comes to prove the biggest crooks wear the slickest suits, I guess.

    What really bothered me was the fact site insists you give your REAL NAME when registering, instead of an alias. It's enough that they get my IP address and email address!

    Considering the multitude of scams and the new online spying laws our governments are trying to force upon us, I find that demand very, very worrisome and I am glad you brought the issue up.

    Thanks for giving other people with the same problem the choice to voice our opinion anonymously!

    ReplyDelete
  3. Whats up, I cannot fully grasp the way to put your web page in my rss reader. Can you guide me, please

    ReplyDelete
  4. ok...that is scary. Not sure if I ever went to that site since I have been to so many, but I don't like it one bit.

    I never do anything illegal, so it seems that this is a major violation of my privacy for sure.

    ReplyDelete
  5. Hi, Very nice description about Viral factor Formula. I like your web blog.
    Because whenever i come into your web blog then i always get the new interesting and important information in your web blog.

    Thank You

    Viral factor Formula

    ReplyDelete
  6. I personally use Quora for marketing matters because now it becomes to easy to find all things from there Quora marketing should be done by every web masters because of it popularity.

    ReplyDelete
  7. You can discover scripts that will make this login highlight for you. This empowers you to secret word secure your page. It permits individuals to login to your enrollment site utilizing a username and secret word.
    TalkTalk login/

    ReplyDelete
  8. In spite of the fact that the endlessness of the group name databases for all small time baseball groups in all small time baseball alliances all through the history ofprofessional baseball is too vast to totally go over in one article, we've limited down the best AAA Pacific Coast League group names from the previous decade. Appreciate. team names for color run

    ReplyDelete
  9. The exchange esteem (at some point equivalent to the discount estimation of the vehicle) will be the most educational when you're looking for a title credit. https://www.usapaydayloanstore.com/chicago

    ReplyDelete
  10. It is worth noting that Facebook also reveals names and photos after a few failed login attempts. Now it's time to avail Baby Liquid Soap for more information.

    ReplyDelete
  11. High Severity situations demand immediate attention and swift action, whether in a technical, medical, or crisis context. In the same vein, the need for effective and accessible education is also a high severity matter, making initiatives such as distance learning in pakistan an essential solution for ensuring broader educational opportunities.

    ReplyDelete
  12. Your experience returning to Quora and reexamining user login behaviours results in an intriguing user interface analysis. When assessing websites and mobile apps for usability assignments, it's crucial to look at default components like login forms. Resources on university assignment structure might help students studying UI/UX design or web development organise their critical input on digital platforms. Considering users' initial perceptions and identifying any potential friction or misunderstanding points is beneficial. Well-considered criticisms aid in locating chances for interface optimisation to serve target audiences better. We appreciate your helpful illustration of how user perspective influences improvement.

    ReplyDelete
  13. Accidente Fatal de Motocicleta en Virginia Beach
    The text "Quora login exposes names and photos" is well-written and informative, providing a basic overview of the vulnerability and its impact. The first sentence, "A security vulnerability in Quora's login system has exposed the names and photos of millions of users," is a good introduction to the topic. The second sentence, "The vulnerability was caused by a misconfiguration in Quora's OAuth 2.0 implementation," builds trust with the reader, demonstrating that the vulnerability is not due to malicious intent on Quora's part. The third sentence, "The vulnerability has been patched, but it is still possible that some users' data may have been accessed by malicious actors," gives the reader a good idea of the potential risks involved. The fourth sentence, "Users are advised to change their passwords and be on the lookout for phishing emails," ends the text on a positive note, offering concrete steps for users to protect themselves. However, the text could be improved by providing more specific information about the number of users affected and the steps users can take to protect themselves from phishing emails. Overall, the text is a good start, but with additional information, it could be a valuable resource for those concerned about the Quora login vulnerability.

    ReplyDelete
  14. Amazing, Your blogs are really good and informative. I got a lots of useful information in your blogs. I thought I'd change that, so I revisited quora.com today to give it another go, but the first thing that struck me was the default behaviour of the login form contract dispute litigation. It is very great and useful to all. Keeps sharing more useful blogs...

    ReplyDelete
  15. This alarming review sheds light on a concerning security issue as the Quora login exposes user names and photos. The article emphasizes the gravity of the situation, underscoring the potential risks associated with unauthorized access to personal information. Users are urged to be cautious and consider additional security measures in light of this vulnerability. The review serves as a critical alert to Quora's user base, urging them to stay informed and take necessary precautions to protect their privacy online. As digital security remains paramount, this revelation demands swift attention and action from the platform. divorcios en nueva jersey

    ReplyDelete
  16. You can find scripts that will make this login feature for you. This engages you to secret word secure your page. It grants people to login to your enlistment site using a username and secret word. virginia reckless driving attorney cost || is new jersey a no fault state for divorce.

    ReplyDelete