Friday, 28 January 2011

Quora login exposes names and photos

When Quora went live a few weeks ago, I was one of many who rushed in to sign up for an account and see what all the excitement was about. It describes itself as "a continually improving collection of questions and answers created, edited, and organized by everyone who uses it". Sounds like a nice idea, but I haven't really used it enough to gauge how useful it actually is.

I thought I'd change that, so I revisited today to give it another go, but the first thing that struck me was the default behaviour of the login form.

As soon as you enter your email address into the login form, it automatically displays your full name and profile image. This is not dependant on cookies or location – anybody in the world can do this with your email address in order to find out what you look like, and what your full name is. They don't even need to be registered with Quora to find this out.

The login form posts the email address in an XMLHttpRequest to If that email address is registered on Quora, the server responds with the name and photo from the corresponding Quora profile. I consider this both a security and a privacy problem.

Armed with just your email address, an anonymous attacker can:

  • Determine whether you are registered on Quora.
  • Map your email address to your full name – very useful for phishing.
  • Discover what you look like.

I don't think many Quora users would expect their details to be exposed in this way, and at least not to people who haven't even registered to use Quora. It is worth noting that Facebook also reveals names and photos after a few failed login attempts, but only after a CAPTCHA has been solved (thus preventing large scale automated abuse)

But what are the real security implications? Phishing victims are more likely to fall for scams if a phishing email contains the victim's full name. Indeed, genuine emails from PayPal even offer this piece of advice in the footer:

How do I know this is not a Spoof email? Spoof or 'phishing' emails tend to have generic greetings such as "Dear PayPal member". Emails from PayPal will always address you by your first and last name.

Obviously that's not safe advice.


  1. That behaviour doesn't really conform to their own Privacy Policy! "Quora may share your personally identifiable information with third parties for the purpose of providing the Service to you. If we do this, such third parties' use of your information will be bound by this Privacy Policy."

  2. I made the mistake registering to post an answer to a question on quora, and I now regret it and am mad for having given out my personal email address while registering instead of an anonymous one like I usually on sites that appear less trustworthy. Comes to prove the biggest crooks wear the slickest suits, I guess.

    What really bothered me was the fact site insists you give your REAL NAME when registering, instead of an alias. It's enough that they get my IP address and email address!

    Considering the multitude of scams and the new online spying laws our governments are trying to force upon us, I find that demand very, very worrisome and I am glad you brought the issue up.

    Thanks for giving other people with the same problem the choice to voice our opinion anonymously!

  3. Whats up, I cannot fully grasp the way to put your web page in my rss reader. Can you guide me, please

  4. ok...that is scary. Not sure if I ever went to that site since I have been to so many, but I don't like it one bit.

    I never do anything illegal, so it seems that this is a major violation of my privacy for sure.

  5. Hi, Very nice description about Viral factor Formula. I like your web blog.
    Because whenever i come into your web blog then i always get the new interesting and important information in your web blog.

    Thank You

    Viral factor Formula

  6. I personally use Quora for marketing matters because now it becomes to easy to find all things from there Quora marketing should be done by every web masters because of it popularity.

  7. You can discover scripts that will make this login highlight for you. This empowers you to secret word secure your page. It permits individuals to login to your enrollment site utilizing a username and secret word.
    TalkTalk login/

  8. In spite of the fact that the endlessness of the group name databases for all small time baseball groups in all small time baseball alliances all through the history ofprofessional baseball is too vast to totally go over in one article, we've limited down the best AAA Pacific Coast League group names from the previous decade. Appreciate. team names for color run

  9. The exchange esteem (at some point equivalent to the discount estimation of the vehicle) will be the most educational when you're looking for a title credit.