SECURITY CONCERN: WD is sending out password resets to my old email address!

Hi!

I have had technical issues with several WD web resources, including the WD Community. I have changed my email address some time ago. I forgot about this (I actually lost my password database and was only able to recover an older version of it which included the old credentials for WD Community). That’s why I could not log onto WD Community. However, when I try to do a password reset using the link from the WD Community login page, WD sends out a reset email to my old address, i.e. the address I typed in.

I realize that WD has migrated to a anew forum platform for WD Community. But why is my old email address still registered? Shouldn’t the old email address be dissociated and purged from the system? That’s what I would have done if it were up to me.

Here are some screenshots showcasing a password reset using the old email address:

This is a security concern! Anyone who has access to my old email inbox can also change my password. Despite not having access to my current email inbox! Because you see, both the old and the new email are tied to the same account at WD Community. Once they have changed the password, they can go ahead and log in, using my new email address.

Yes, they would need to know both my email addresses. But that’s also the only thing they would need. Plus access to the old email inbox. One common reason why people change their registered email address is exactly because their old email account has been compromised.

Please private message me all your emails and I’ll look into it.

[edit] If you’re trying to change your email from the Discourse email change option, it won’t work. I have to do this for you. And that may be why your password reset is going to the old email address.

By “Discourse email” you mean the email address I use to sign in here at WD Community, correct? That’s not what I meant. I can see that there is no option in here to change the email. I didn’t know that… But that’s alright. I am good with the email address I currently have.

The thing is, I have been registered at the WD forums before WD embraced the Discourse platform. For some reason my account was never moved to the new platform from the old one. I don’t care to know why, what’s done is done. But at some point, prior to the change of platform, I changed my email address… Now that I think of it, that might be the reason my forum account was missed and never moved to the new platform… but anyway, moving on…

I had forgotten that I had changed my email address. So when I was trying to log in, now on Discourse platform, using the old email address, I was unable to do so. But password resets continued to work just fine, and I kept getting password reset links and temporary passwords. So my old email address is still linked to the old forum platform which doesn’t exist anymore (or it does, but is not user accessible).

And I kept hitting my head against the wall and wondering why I could not log in, even after receiving the temporary password and the password reset link and everything. Then it hit me that I had changed my email address. So once I logged in using the current email address I was presented with a greeting and a prompt to select a username and all that. So I am seen as a new member here, while in fact I was a member long before.

Site A: Old WD Community
Status: Offline
User email: me@yahoo.com

Site B: New WD Community
Status: Online
User email: me@google.com

I changed my email before you changed the platform.

The password reset function ties to the SSO system. So whenever a user does a password reset, it resets both WD Community and WD Support portal password. That’s normal. But it also means that not only WD Community but also WD Support portal is exposed to the same vulnerability. I personally have no sensitive data on the WD Support portal, but I can imagine that business users do, and they have service plans with WD and exchange written communication that might come in handy if you know what I mean.

It appears as if there are two email registers at the backend, one from the time before and one from the time after the platform change. Or one register but misconfigured. Either way, old user data should have been purged after a successful transition to the new platform. I see no need for storage keeping old user data in the long run. Evidently, it can only complicate things and cause harm when left abandoned and forgotten.

I believe this is related to the change of community platform. But I may be wrong. I don’t know when Discourse was introduced, but I know Lithium was used before. I’m not sure there was any SSO back then.

We have always used SSO, even with Lithium.

Just so you know, there is no security vulnerability, because whether you change your email by updating it, or by creating a new account, no one else can ever get to your old email account.

Besides, only you got that password reset anyway. I’m not sure what you did, but you have both emails on one account. I’m in the process of getting your old and new accounts merged to your new email account. That way everything works under the new account. I’ll let you know when it’s done.

I can tell you’re confused. I’m sorry, that’s in part my fault. It’s a bit complicated (actually it’s not, it’s just complicated to explain). Let me try to hit the point home once more.

Assume that me@yahoo.com is the old email that’s registered with WD, and it has been compromised and someone else now has access to the inbox.

Note that it’s the email account that’s compromised, not the WD site or the user account on the WD site. Not initially at least.

Attacker changes the password for the email account and the original account owner is thus by locked out. The original owner, a.k.a. the user is made aware that he’s locked out of the email account and suspects it has been hacked. In order not to lose access to any of the many websites and services the user has registered for using the now compromised email account, the user starts changing the registered email address to an alternative email address for each site and service, and also changing the password for each service.

The new email address is now set to me@google.com at WD site. But in case of WD site, the attacker is able to use the password reset function at WD site and have a password reset link sent to himself, to the old address and the inbox which he now controls.

The behavior I would expect here is that the WD site returns an error, telling the attacker that there is no user account registered with such email address. But that’s not what happens, and that’s an issue.

Once the attacker receives the reset link, he can set the password to his own liking. Now, in order to log in at both the WD Community and Support portal (basically wherever WD SSO can take you), he only needs to figure out what the current registered email address is that the user changed to at the WD site. This is often not too hard, as many people in this time and age like to use this popular format: firstname.lastname@service.com. He just needs to provide this at the WD SSO login prompt and the password he chose himself and he is in.

This may or may not affect other user accounts. I do not know. I can only tell from what I have seen this far, using my own account. This may even be disregarded as a non-issue. But if you understand what I’m saying I think you should look into it. Just disengage, disassociate any old remaining connections you may have between old email addresses to the SSO. Disable it so that the password reset function only works by sending the reset link to the currently registered email address, and not some old address from a distant past, from some old forum platform. Get rid of the ghost in the machine.

The lesson of this story is that we are all very much tied to our email addresses. They are our identity on the web. Most Internet services today are still using email based account registrations and many of them, WD included, uses the email address as the account name. That’s why it’s important to keep them safe in order to keep the bad guys out. We should not be assisting them in any way, not even by, or especially by sending out password reset links to some old email address we no longer use or trust. Luckily my old email account is not compromised yet, but the service is not very good and I am looking at closing it down for good. That’s why I have a new email account registered here.

Actually, I’m not confused. I just didn’t know that google and yahoo will reassign old email addresses. Now that I do, then what you are saying is true for your old email. However, because we’re updating your account, if someone gets your old email and resets the password here, they will NOT have access to any of your posts or private messages.

Everything from our old platform, LIthium, was migrated to the new platform. We do not delete anything. We do, however, disable user accounts when a user wants to move on. I understand your concern, but anyone who feels concerned that their account might be reused by someone else only needs to contact one of the moderators. It is impossible to babysit accounts, so if users are concerned about this, then they need to contact us to disable their accounts.

In your case, someone, somewhere, tried to update your email from the old to the new, and left your account only partially updated. That’s why you got the password reset sent to your old account.

Like I said, above, our programmer should have your account fully updated soon. Then your account will only reflect your new email. I will let you know as soon as it’s done.

We have fully updated your user account, and your previous email has been disabled.

1 Like

This email address does not exist in our system.

Now it works as expected. Thank you!

Sorry this happened. I have idea who did this, but once I saw what was really going on, it was a simple fix.

[quote=“Bill_S, post:6, topic:150825”]
I just didn’t know that google and yahoo will reassign old email addresses.[/quote]

I don’t know about Yahoo, but Google doesn’t reassign any email addresses once the associated account has been closed. But please disregard the google.com and yahoo.com in the addresses, I only used those as placeholders. Those are not the actual email addresses I used.

[quote=“Bill_S, post:6, topic:150825”]
In your case, someone, somewhere, tried to update your email from the old to the new, and left your account only partially updated.[/quote]

I don’t think anyone else had access to my WD account. That someone was me. You may just be seeing a different IP address. But I changed the address from the old email address (insecure) to the new address, and I did this before the migration to the new forum platform.

I believe the migration was not done very well, so my old email was kept registered with the forum, instead of registering the new address and I had changed to prior to the migration and moving my old forum profile to the new platform. Something screwed up somewhere in the migration process. But I’m good with the current email and the current forum profile. As long as password resets are sent to the now current email address, instead of the old address.

No, that was exactly what we wanted to happen. Otherwise, everyone would have had to re-register, and they would have been yelling at me over it. But I’m glad your email is fixed now.