When Quora went live a few weeks ago, I was one of many who rushed in to sign up for an account and see what all the excitement was about. It describes itself as "a continually improving collection of questions and answers created, edited, and organized by everyone who uses it". Sounds like a nice idea, but I haven't really used it enough to gauge how useful it actually is.
I thought I'd change that, so I revisited quora.com today to give it another go, but the first thing that struck me was the default behaviour of the login form.
As soon as you enter your email address into the login form, it automatically displays your full name and profile image. This is not dependant on cookies or location – anybody in the world can do this with your email address in order to find out what you look like, and what your full name is. They don't even need to be registered with Quora to find this out.
The login form posts the email address in an XMLHttpRequest to http://www.quora.com/webnode2/server_call_POST. If that email address is registered on Quora, the server responds with the name and photo from the corresponding Quora profile. I consider this both a security and a privacy problem.
Armed with just your email address, an anonymous attacker can:
- Determine whether you are registered on Quora.
- Map your email address to your full name – very useful for phishing.
- Discover what you look like.
I don't think many Quora users would expect their details to be exposed in this way, and at least not to people who haven't even registered to use Quora. It is worth noting that Facebook also reveals names and photos after a few failed login attempts, but only after a CAPTCHA has been solved (thus preventing large scale automated abuse)
But what are the real security implications? Phishing victims are more likely to fall for scams if a phishing email contains the victim's full name. Indeed, genuine emails from PayPal even offer this piece of advice in the footer:
How do I know this is not a Spoof email? Spoof or 'phishing' emails tend to have generic greetings such as "Dear PayPal member". Emails from PayPal will always address you by your first and last name.
Obviously that's not safe advice.