Tech by VICE

Enable This Setting So People Can’t Guess Your Email Address from Your Twitter

Do social media sites give too much detail away during a password reset?

by Joseph Cox
Apr 15 2016, 3:17pm

Photo: Esther Vargas/Flickr

An independent researcher has found a trick for guessing email addresses based on a user's Twitter handle.

"No special technical skills are needed," independent researcher Chris Monteiro, who recently flagged the apparent issue, told Motherboard in an email.

Monteiro attempted to gather email addresses from 99 different Twitter accounts, and claims to have obtained 30 successfully. Motherboard confirmed several high-profile Twitter users in the list via their apparent email addresses. Most of the users contacted by Motherboard declined to comment further.

The process itself is simple enough. Monteiro just clicked on the 'Forgotten your password?' button at the Twitter login screen, entered the relevant username, and was then presented with a partially redacted email address.

Motherboard managing editor Adrianne Jeffries volunteered her Twitter account for this screencap. The last two digits of her phone number are blurred.

The first two letters of the email address were displayed, followed by either the whole domain (such as "gmail.com"), or a redacted version. Twitter also showed how many characters were in the email address in total, which in 30 cases was seemingly enough for Monteiro to correctly guess the full address.

This only works, however, for Twitter users who haven't selected the "Require personal information to reset my password" option in their account settings. When that is clicked, a user needs to enter their full email address or linked phone number to reset their password.

It's worth pointing out that this sort of problem isn't isolated to Twitter though: other social media sites can also give away a fair bit about a user's email address. Monteiro said he tried the trick on Facebook and got pretty much the same result.

Motherboard made a dummy account on Facebook, and was able to call up a similarly redacted version of the account's email address, too. (The dummy account didn't use a particularly popular email service, so the domain was also redacted).

"There are certainly many malicious uses this information can be put to."

On Instagram, things are slightly different: upon typing in a username, a password reset email is automatically sent to the user's address, which would likely alert them to any snooping. But the site still displayed a redacted email address, at least in Motherboard's test. LinkedIn, for its part, requires you to enter a full email address to reset a password, it appears.

After obtaining someone's email, Monteiro envisions all sorts of scenarios: flooding the person with spam by signing them up to different lists, or sending abuse to the person to intimidate them, which is sometimes a problem for activists or public figures generally. Monteiro also says it may be useful information for an attacker to find out someone's real identity, if they are using a pseudonym.

Nu Wexler, a spokesperson for Twitter, told Motherboard in an email, "Sorry, we don't have a comment for your story," and instead pointed to the Twitter documentation on recovering passwords.

Monteiro said he sent details of the apparent problem to Twitter, but the company said that it didn't qualify for its bug bounty program. He also sent details to Facebook, and the company has been informed of the process in the past.

A dummy account. For common domains such as Gmail, Facebook will display the entire domain.

Of course, this trick isn't necessarily an issue for all of those affected. Anyone who has a hard-to-guess email address is already protected. Some people might have no problem with the email address linked to their Twitter account being guessed, or it might be public in the first place. Some email addresses are easy to work out, and aren't supposed to be a secret—plenty of businesses, for example, just use a 'first name, last name' format for their addresses. And if a celebrity is using an easy-to-guess email, such as their name or a slight variation thereof, determined people will probably work it out anyway, without a social media site's inadvertent help.

"This feature is important for helping you locate your recovery email address if you lose access to your Facebook account. In many cases, people add these email addresses years earlier and need a hint to know where to look when we're assisting them with an account issue," a Facebook spokesperson told Motherboard in an email.

"We've thought carefully about how else the feature could be used and have designed protections accordingly. For example, if you receive unwanted password reset emails from us via this recovery feature, the emails contain a disavow option and a setting that prevents others from looking you up by your username."

That being said, this could still cause a bit of a headache for those who would rather not have their email a few clicks and guesses away, especially considering the use of Twitter as a tool for harassment.

"Purely personally, it's not so much a problem as the email addresses I use for public facing communication are freely available. But I am sure this will concern many, particularly people who have been subject to abuse. There are certainly many malicious uses this information can be put to," Loz Kaye, from Open Intelligence Think Tank, and former leader of the Pirate Party UK, told Motherboard in an email, after having his address guessed.

If you are concerned about this, you can change your Twitter-linked email to a dedicated address; perhaps something like bobtwitteraccount@gmail.com, for example. You could go ahead and click the "Require personal information to reset my password" option. It can be found in the Settings menu, and then Security and Privacy. Or, for Twitter as well as other social networks, set up email aliases, making whatever email that is stored by a site that much different from your main address, and harder to guess.