Updated — MocoSpace reveals private e-mail addresses

While this discussion is specific to the MocoSpace social network, the vulnerabilities described are generic enough to be present in all similar systems; that have not taken these problems into consideration.  These vulnerabilities, when exploited, will disclose the private e-mail address of a targeted user.

MocoSpace assigns “@mocospace.com” e-mail addresses to all of its users; allowing them to exchange messages with external, non-MocoSpace, users.  Having a MocoSpace e-mail address allows users to communicate with both MocoSpace and external users, without having to reveal their private e-mail address.

When a message arrives in a MocoSpace user’s inbox, a notification message is sent to their private e-mail address; instructing them to log into MocoSpace, to see the contents of the received message.  MocoSpace formats the notification message so that it appears to come from the MocoSpace,  or external, e-mail address of whoever sent the message.  Private e-mail addresses can be disclosed, due to the way external mail systems handle these formatted notification messages.

Social Engineering Exploit

The first exploit involves social engineering.  The object is to trick the user into replying to the notification message.  Doing so will disclose the user’s private e-mail address to the attacker.

Let us suppose that Jane Famous, whose private e-mail address is JaneFamous@example.com, becomes a MocoSpace user.  If she registers the user name “JaneFamous,” then JaneFamous@mocospace.com becomes her MocoSpace e-mail address.  This allows Jane to exchange messages with her fans, whether or not they are MocoSpace users.

John Evil sends a taunting message to Jane Famous.

John Evil sends a taunting message to Jane Famous.

Suppose that Jane has a stalker, John Evil, who also becomes a MocoSpace user; with the user name “JohnEvil,” which makes JohnEvil@mocospace.com his MocoSpace e-mail address.  He decides to send a taunting message to Jane.  In fact, he sends several dozen over a period of time…

Jane's MocoSpace message notification.

Jane’s MocoSpace message notification.

And each time he does, a notification message appears in the inbox of Jane’s private e-mail address.  From all appearances, there is no indication of what the actual message content is; Jane must log into MocoSpace if she wants to read the message contents.

Consequences of replying to a notification message.

Consequences of replying to a notification message.

However, MocoSpace had formatted the notification message with John’s MocoSpace e-mail address in the “From:” field, and Jane’s private e-mail address in the “To:” field.  After receiving several dozen messages from John, Jane might be tempted to reach out, click the “Reply” button and give this guy a piece of her mind — along with her private e-mail address!

On Facebook, you can't reply to a notification message.

On Facebook, you can’t reply to a notification message.

Facebook does not suffer from this particular vulnerability; because notification messages are formatted, so that replying to the sender is not possible.  Replying to a Facebook notification message results in a “Failed” Delivery Status Notification (DSN).


Buffer Overflow Exploit

The second exploit involves a form of buffer overflow, related to how MocoSpace responds to a DSN that occurs when the inbox of a user’s private e-mail address is full.  Although MocoSpace and the user’s private inbox are on different computer systems; the entire interaction of the two can be considered a buffer overflow, when looked at as a “system of systems.”

Please donate and support Information Assurance Vulnerability Research

Let’s suppose that Jane goes on a world concert tour, and is unable to read her private e-mail for at least a few weeks.  John, continues sending messages to Jane’s MocoSpace inbox.  For each message received by Jane’s MocoSpace inbox, a corresponding notification message is sent to her private e-mail address.  Depending upon the amount of space left in her private inbox, a time may come when the private inbox is full; due to the influx of both MocoSpace notification messages and other legitimate messages Jane might receive at her private e-mail address.

When the inbox of a private e-mail address is full.

When the inbox of a private e-mail address is full.

When an inbox is full, the usual response by a system is to reject any further messages, and return a DSN to the sender.  Because of the way MocoSpace formats its notification messages, any DSN returned are sent to the e-mail address specified in the “From:” field of the formatted notification message.  It therefore becomes possible for John to once again find out Jane’s private e-mail address.

Temporary Fixes

MocoSpace notification settings.

MocoSpace notification settings.

MocoSpace allows users to customize the delivery method and daily number of notification messages.  Having notification messages delivered by text message, instead of e-mail, suppresses the vulnerabilities; because text messages are delivered via MocoSpace’s short code.  And because text messaging standards do not presently accommodate the return of DSN, there is little chance for the inadvertent disclosure of private e-mail addresses.

The Permanent Fix

To permanently mitigate these vulnerabilities, MocoSpace needs to format the notification e-mail messages, so that external user replies to notification messages, and DSN messages caused by delivery problems, are no longer returned to the message sender.  They can accomplish this by including a “Reply-To:” header in the notification message, which sends any message replies and DSN to some kind of “no-reply” e-mail address.  A “no-reply” address is the equivalent of a dead letter office for e-mail.

Social networking sites depend on high profile users, such as celebrities and artists, to attract and retain popular users.  Vulnerabilities such as these, significantly weaken the privacy protections all users, and should be corrected as quickly as possible.

Update — MocoSpace Response

On Monday, May 17, 2010; message notifications from MocoSpace began arriving with a “From” header of “noreply@mocospace.com” instead of the sender’s MocoSpace e-mail address.  This hopefully will resolve the issues pointed out in this article.

But what about the MocoSpace user who chose “noreply” as his profile name [profile no longer exists]?  Will he be receiving tons of e-mail from external users who click the “Reply” button?  Or will he be forever unable to receive any external e-mail at all?

Spread the word!