Personal Information Leakage During Password Recovery of Internet Services
This work addresses a privacy vulnerability affecting users of large Internet services, revealing incremental risks in standard security practices.
The paper examines the password recovery processes of major Internet services like Gmail, Facebook, and Twitter, demonstrating that unauthorized individuals can obtain personal information such as email addresses, phone numbers, and friends lists, which can be used to deduce more focused user details.
In this paper we examine the standard password recovery process of large Internet services such as Gmail, Facebook, and Twitter. Although most of these services try to maintain user privacy, with regard to registration information and other personal information provided by the user, we demonstrate that personal information can still be obtained by unauthorized individuals or attackers. This information includes the full (or partial) email address, phone number, friends list, address, etc. We examine different scenarios and demonstrate how the details revealed in the password recovery process can be used to deduct more focused information about users.