serious security issue #login


Peter Cook
 

In response to replying to a group post, one of my members received this. (I've x-ed out the last part for security reasons.)

===============================

Hello,

Here is a link to log into your Groups.io account:

https://woodmoor.groups.io/loginlink/xxxxxxxxxxxxxxxxx

It will expire in 24 hours, on 05/17/2020 at 10:26am EDT,
but you'll stay logged in for 30 days, unless and until you log out.

If you did not ask for a login link to be sent to you, please ignore this email.

Cheers,
The Groups.io Team

===============================

Here's the problem. When I clicked on this link, I was immediately logged into her account without being asked for her password. Does anyone besides me see this as a serious security breach? Wouldn't it make sense that someone clicking on this would be required to enter a password?

Pete


Bruce Bowman
 

On Sun, May 17, 2020 at 10:57 AM, Peter Cook wrote:
In response to replying to a group post, one of my members received this. (I've x-ed out the last part for security reasons.)
Peter -- This looks like the normal "email me a link to log in" message, sent when you click the corresponding button on the login page.

Here's the problem. When I clicked on this link, I was immediately logged into her account without being asked for her password.
Yes, clicking the login link does log you in to the referenced account. Account security comes from having access to the email account where the link was sent. If you cannot access that email address, you cannot use the login link.

That's why people shouldn't be forwarding them, any more than they should be sharing their social security number or credit card credentials.

Does anyone besides me see this as a serious security breach? Wouldn't it make sense that someone clicking on this would be required to enter a password?
If the "email me a link" function were disabled, there would be no means to perform an initial login, and therefore no way to establish a password.
 
Regards,
Bruce

Check out the new groups.io Help Center and groups.io Owners Manual


Andy Wedge
 

On Sun, May 17, 2020 at 03:57 PM, Peter Cook wrote:
When I clicked on this link, I was immediately logged into her account without being asked for her password. Does anyone besides me see this as a serious security breach? Wouldn't it make sense that someone clicking on this would be required to enter a password?
If you look at the member's manual you will see that logging in by having a link emailed to you is perfectly legit and the way the system is designed to work. The link is personalised for the intended recipient so the security issue is really the fact that your member shared it with you - they effectively gave you the password to enable you to login to their account.

Andy


Peter Cook
 

On Sun, May 17, 2020 at 11:06 AM, Bruce Bowman wrote:
If the "email me a link" function were disabled, there would be no means to perform an initial login, and therefore no way to establish a password.
This account already had a password. Are you saying this link is also used for users who have not yet established one?


Bruce Bowman
 

On Sun, May 17, 2020 at 11:11 AM, Peter Cook wrote:
Are you saying this link is also used for users who have not yet established one?
That's correct...or have forgotten it.

Regards,
Bruce

Check out the new groups.io Help Center and groups.io Owners Manual


Duane
 

On Sun, May 17, 2020 at 10:11 AM, Peter Cook wrote:
Are you saying this link is also used for users who have not yet established one?
The procedure can be used by any member at any time.  Some use it for convenience, especially when they have a strong password and multiple devices.  As long as you visit the site at least once every 30 days, the cookie on a device is updated so you won't need to log in again.  You could even enter someone else's email address, but the email would go to that address, so it wouldn't allow you in unless you had control of their email.

Duane
--
The official Groups.io user documentation is in the Groups.io Help Center.
GMF's Unofficial Help Wiki: https://groups.io/g/GroupManagersForum/wiki


Marv Waschke
 

Peter-- You are right. This is a serious security compromise for convenience. Groups.io, like most consumer applications, is not highly secure. If it were, it would not be used by most of the people who use it now. When someone forgets the password to an account and is sent a link to reset their password, they engage in an insecure transaction. In a high security environment, they would undergo a lengthy in person interview, have their fingerprints taken, their retina scanned, and a DNA swab analyzed before getting a new password. If they lost their password, they would have to repeat the process and there would be a fair chance they would be permanently denied access for their carelessness. If a product like Groups.io were set up in that manner, who would use it? We make compromises for convenience. This is one of them and a common one.

In this case, users rely on the security of their email account. Many consumer applications and services also rely on email account security. It never hurts to remind folks to keep their email accounts secure and never forward emails that contain links that are signs of authentication, like links to password resets or entrance to Zoom meetings.
Best, Marv


Chris Jones
 

On Sun, May 17, 2020 at 03:57 PM, Peter Cook wrote:
In response to replying to a group post, one of my members received this.
I may have overlooked something that someone has posted but IMHO the oddity in this case is that it was sent out when it neither needed to have been or should have been. As the link was applicable to the account of the person to whom it was originally sent  - albeit for reasons unknown and not obviously explicable - then there was no immediate risk to a member's security.

There is an argument that in forwarding the message with the link to an Owner or Moderator the member did risk compromising their own security, but that is not the same as Groups.io compromising it, but that forwarding is understandable if the member in question was genuinely puzzled by its arrival, which I think I would have been as well.

If the sequence of events was indeed as described in the opening post in this topic then surely the question is why did Groups.io send a log-in link to someone who had simply responded to a group message and had (we must assume) not requested such a link?

As far as I can see nobody has raised this point in their responses.

Chris


Frances
 

On Sun, May 17, 2020 at 10:57 AM, Peter Cook wrote:
Here is a link to log into your Groups.io account:

https://woodmoor.groups.io/loginlink/xxxxxxxxxxxxxxxxx

It will expire in 24 hours, on 05/17/2020 at 10:26am EDT,
but you'll stay logged in for 30 days, unless and until you log out.
The link is time limited. It had been a smaller time window, if I recall correctly. Is reverting to a shorter time to log in something worth asking for?

Frances
 
--
GMF wiki for help. Search box at the top of each page.

Check out the new groups.io Help Center  Use your browser to search or download the PDF.


Nivard Ovington
 

I don't think anyone raised it as it very likely didn't happen

Has anyone here ever received a log in message without asking for it?

I certainly haven't and no one has ever mentioned it to me

I would lay odds that the subscriber whose link it was, inadvertently clicked the link without realising what it did (or ooh what does that do?)

Then they received a log in link and not realising what it was, forwarded it to the admin and as it was within 24 hours they managed to log in

I do not see it as a security risk, I see it as ignorance on the part of the users

Nivard Ovington in Cornwall (UK)

On 18/05/2020 15:07, Chris Jones via groups.io wrote:
On Sun, May 17, 2020 at 03:57 PM, Peter Cook wrote:
In response to replying to a group post, one of my members received
this.
I may have overlooked something that someone has posted but IMHO the oddity in this case is that it was sent out when it neither needed to have been or should have been. As the link was applicable to the account of the person to whom it was originally sent  - albeit for reasons unknown and not obviously explicable - then there was /no/ immediate risk to a member's security.


Ken Cameron
 

Further the systems need to have a way to reset passwords without staff
involved. Most add a couple of security questions to the page the emailed
link takes you to. The link has codes in it to say who you are, but then you
play the questions game to confirm you are you.

But this is a good sign of what level of security is needed where. Simple
list server, no questions. Your bank, a couple of questions. Corporate
services like hosting or DNS, a raft of questions.

-Ken Cameron, Member JMRI Dev Team
www.jmri.org
www.fingerlakeslivesteamers.org
www.cnymod.org
www.syracusemodelrr.org


Bob Bellizzi
 

On Mon, May 18, 2020 at 08:12 AM, Nivard Ovington wrote:
Nivard
Another point that might be pertinent is that even if one logs in with a password, access is limited to 30 days from that login or last access after that login, whichever is latest.
We weren't told nor did we consider whether the person receiving the login email was inactive for over the limit.
Peter Cook, can you tell us if your member had not been online for 30 days prior to this event?
--

Bob Bellizzi


Bruce Bowman
 

We're probably overthinking this. The "email me a link" button lies immediately below the regular Login [with a password] button. Not surprising that the wrong one might be tapped occasionally, especially on a phone.

Regards,
Bruce

Check out the new groups.io Help Center and groups.io Owners Manual


Christopher Warrington
 

On 2020-05-18 at 6:44:15 AM, Marv Waschke <marv@marvinwaschke.com> wrote:

In this case, users rely on the security of their email account. Many
consumer applications and services also rely on email account security. It
never hurts to remind folks to keep their email accounts secure and never
forward emails that contain links that are signs of authentication, like
links to password resets or entrance to Zoom meetings.
If you have 2FA configured for your account [1], the login link prompts for
a 2FA code. A classic less convenience, more security trade off that's
available for the more security conscious.

[1]: https://groups.io/helpcenter/membersmanual/1/understanding-groups-io-accounts/setting-account-preferences-and-viewing-account-information

--
Christopher W. <lists@cw.codes>


Peter Cook
 

Thanks for the responses. This situation keeps evolving (slowly) since the member is very tech-challenged and I'm learning more bit by bit. So I can't yet answer the questions you've asked.

The latest is that when she clicks the link, she is taken to a page that looks like the attached. I assume she copied the page and pasted it into Word. I've removed the actual links.

Pete



Duane
 

On Tue, May 19, 2020 at 07:58 AM, Peter Cook wrote:
The latest is that when she clicks the link, she is taken to a page that looks like the attached.
If she's trying to use the original link, it won't work.  They expire after 24 hours, so she'd need to get a new one, assuming she really wants to log in that way.

Duane
--
The official Groups.io user documentation is in the Groups.io Help Center.
GMF's Unofficial Help Wiki: https://groups.io/g/GroupManagersForum/wiki