I have just found what I believe to be a serious risk for account hijacking at Dynalist:
If I want to change my login email address, there is no way to do that online within my secure browser session while I am logged in. The process is that I need to send an unprotected email to support (any hacker can easily spoof the sender address) and I simply send them the login email of the account and the new email address.
So any hacker who wants to hijack my account, with all my personal or business data, simply needs to spoof an email sender address. Then the login gets changed to their new address and finally they click on “Request password reset”. I lose access to my account and they have all of my personal data which I have stored in Dynalist.
I sent a message to the support and their reply was: “We have not experienced anyone taking our trust to their advantage yet.”
I am very concerned about this.
(I am not storing any business data in Dynalist. Running a business in the EU, this would not comply with the GDPR regulation at all.)
Our systems rely on the SPF and DKIM checks to validate emails. Most email services such as Gmail, Yahoo, etc all strictly follow the SPF and DKIM protocol which allows us to put spoofed emails straight to spam. Your original email change was approved because your email is verified to be from “gmail.com” using the two security measures.
Given you’re security-sensitive, I double-checked your email provider. It seems that on “mike77.com” (not real), you have an SPF record set to “v=spf1 mx a ?all” and a DKIM which is not configured. This is the equivalent of saying ANY server on the internet can send emails as “mike77.com” (not real) and spoof your email address.
Since this is what you’ve purposefully configured for your email address, the email security protocol is basically telling us that any email (spoofed or not) is real and we should believe that it is actually sent from you.
In contrast, Gmail, for example, has a properly configured SPF and DKIM record (which I can see and verify, such as your original email sent from mike77@gmail.com (not real).
In either case, this is the industry-standard authentication system, which did validate your original email. If you can configure your own domain name to properly advertise SPF and DKIM records, you can be assured that nobody will be able to spoof your emails as all of modern internet email systems will verify the SPF and DKIM records.
We do plan to provide a way to automate changing emails. We don’t want to manually do this tedious process either, especially given the spoofing risk.
If your domain doesn’t have SPF and DKIM, we’ll reply and ask for a confirmation. Although the hacker could spoof your email, he is not able to receive our request for confirmation unless he has access to your email already. That would help us ensure we’re talking to the owner of the email.
In a few weeks Dynalist will provide a way to change your email on your own in the secure session, and this will no longer be an issue.
I just noticed that an invasion attack attempt happened in the WorkFlowy servers. It forced them to disconnect all user’s sessions and advise them to change their passwords if the same pwd is used in different site(s)… More details can be found on the link below. I don’t use WF anymore and I don’t regret any day having switched to Dynalist, but I still occasionally receive blog news updates from them.
Considering Dynalist has also very sensitive data, and STILL does not offer 2FA / MFA (like Workflowy), I wonder if this could be a good opportunity to reinforce this idea / project.
This is really worrying and a critical concern. I have a strong password, not used anywhere else, always logoout from my sessions when I’m not using it; but it still terrifies me the possibility that something like this could also happen.
That scared me for a moment because I keep mixing up “Dynalist” and “Workflowy”.
But yeah, a good wake up call that we should all maybe not store sensitive data in too many hackable places, and not re-use passwords on different websites.
Dynlist has better than 2FA. Use Google login rather than email login. Google OAuth has better security features (machine learning, location, ISP, confiorm on phone notification, 2fa, lots of good stuff). A hacker would need to get thru the Google 2FA to reset your password or login to your Dynalist. You can’t really disable the email login altogether without signing up for dynalist again and never making one, but you can generate a super secure password that you just forget and don’t save anywhere. Then just login or password reset via google 2FA.
I’d also advise you not use Google Oauth for the backups location - say a youtube moderator misreads a comment and bans you across all Alphabet properties, and your only dropbox login was Google OAuth, then you just lost your dynalist AND the backups.
Thanks for your inputs. Yes, I started using Dynalist with my Google account linked to it. I have 2FA activated on my Google account for years already. But I don’t believe this link between Dynalist and 2FA Google offer a really good solution as opposed to having Dynalist with its own 2FA mechanism and authentication.
One reason that made me disable the Google OAuth with Dynalist is due to the possibility that my phone or computer gets stolen or hijacked. If someone got his hands on it, then simply open Dynalist app and click “Sign-in with Google”, then boom, no questions asked… Dynalist opens up immediately. To disallow it, I’d have to have access to a different phone or computer, access my Google account (maybe disable the 2FA with the backup codes pre-saved somewhere) and then remove the access link between Dynalist and Google. I’m not sure if changing Google password could help in anything here, but I don’t think so.
Having only the basic Username and Password within Dynalist makes me a bit more secure in this aspect… Maybe it’s just me.
And by the way, the thing you said about the possibility and easiness for Google to disable and purge your entire account is really scary. I wish there could be a way to revert it, but I guess only with a good lawyer… Wonder if Jackie Chiles would be still available…
The only thing that gives me assurance is to not put all my eggs in one basket. Despite Google OAuth being secure, I would not use it for all my accounts because it makes me dependent on Google. I also would not trust DynaList if I didn’t have automatic daily backups to DropBox, and I wouldn’t trust DropBox if it didn’t automatically sync to my home computer, and I wouldn’t trust my home computer if it didn’t autosync to the backup service.
All this is about not losing my data.
A separate question is about securing data from theft. That I haven’t thought deeply about.