Major security concern


#1

I have just found what I believe to be a serious risk for account hijacking at Dynalist:

If I want to change my login email address, there is no way to do that online within my secure browser session while I am logged in. The process is that I need to send an unprotected email to support (any hacker can easily spoof the sender address) and I simply send them the login email of the account and the new email address.

So any hacker who wants to hijack my account, with all my personal or business data, simply needs to spoof an email sender address. Then the login gets changed to their new address and finally they click on “Request password reset”. I lose access to my account and they have all of my personal data which I have stored in Dynalist.

I sent a message to the support and their reply was: “We have not experienced anyone taking our trust to their advantage yet.”

I am very concerned about this.

(I am not storing any business data in Dynalist. Running a business in the EU, this would not comply with the GDPR regulation at all.)


#2

Agreed, this could be very serious. DL should ideally implement 2FA and not allow hijacking this way.


#3

This is our reply to Mike’s ticket:

Our systems rely on the SPF and DKIM checks to validate emails. Most email services such as Gmail, Yahoo, etc all strictly follow the SPF and DKIM protocol which allows us to put spoofed emails straight to spam. Your original email change was approved because your email is verified to be from “gmail.com” using the two security measures.

Given you’re security-sensitive, I double-checked your email provider. It seems that on “mike77.com” (not real), you have an SPF record set to “v=spf1 mx a ?all” and a DKIM which is not configured. This is the equivalent of saying ANY server on the internet can send emails as “mike77.com” (not real) and spoof your email address.

Since this is what you’ve purposefully configured for your email address, the email security protocol is basically telling us that any email (spoofed or not) is real and we should believe that it is actually sent from you.

In contrast, Gmail, for example, has a properly configured SPF and DKIM record (which I can see and verify, such as your original email sent from mike77@gmail.com (not real).

In either case, this is the industry-standard authentication system, which did validate your original email. If you can configure your own domain name to properly advertise SPF and DKIM records, you can be assured that nobody will be able to spoof your emails as all of modern internet email systems will verify the SPF and DKIM records.

We do plan to provide a way to automate changing emails. We don’t want to manually do this tedious process either, especially given the spoofing risk.


#4

Thank you Erica.

How do you currently protect those of your customers who don’t use SPF and DKIM compliant email providers from getting their account hijacked?


#5

If your domain doesn’t have SPF and DKIM, we’ll reply and ask for a confirmation. Although the hacker could spoof your email, he is not able to receive our request for confirmation unless he has access to your email already. That would help us ensure we’re talking to the owner of the email.

In a few weeks Dynalist will provide a way to change your email on your own in the secure session, and this will no longer be an issue.


#6

Okay, thank you.

Do you plan to offer GDPR compliance, which is required for EU business customers?


#7

No plans for that for now, sorry.