Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Or they could just sign up at one of the numerous free email providers with a different username. Stripping the + suffixes is only providing one thing - pain for the users that want to use it.


This is true. I know someone who says she's been doing the Hulu free month thing for a couple of years, and does it for other services as well.

It's all too much for me to keep track of, but for some people it's no big deal to create new e-mail addresses every month.


The author suggests stripping the part before doing the uniqueness check. This does not mean that the username (email address in this case) would not be allowed.


It would for the second user whose address resolves to the same result from the “uniqueness” check.


I wish this would happen. There's a "rocket surgeon" on the East Coast who has (tried) to sign up for Facebook, Twitter, Steam, and a bunch of sleazy 'message gurlz now' apps using my Gmail address without the period.

Obviously it never works, as I get the "I see you're trying to create a new account" email, but one of these days he's going to figure out a way to take over one of those accounts and then I'll really be fked.


I don’t understand your complaint. Google resolves the addresses john.smith@gmail.com and johnsmith@gmail.com to the same account, which you control.

(1.) What are you imagining is the attack vector exactly?

(2.) Are you asserting that all website owners should build to Google’s (non-standard) behavior?


I have a similar problem with someone who keeps (hopefully accidentally) putting my landline number into Facebook, then I get a call with a recording asking me to press some number to verify my Facebook account.


I'm curious as to who would use a service someone else is using, sharing their email but with a local addition?

Can me and my wife both sign up to HN and use my email but hers be josh+swife@joshmanders.com and mine be josh@joshmanders.com?

That's a strange usecase, isn't it?


gmail makes josh@... and josh+swife@... resolve to the same thing, but there is no guarantee that all other email services behave like that. For all you know, there is an email service that lets you register an email like that, so you have 2 users now whose email is: john+smith@... and john+brown@...


It's way easier to write a script to generate thousands of variations on the same email address than to sign up for a thousand different accounts. I've actually been bitten by this bug before... or rather, my company was bitten by an affiliate who neglected to sanitize their emails this way and someone was able to create thousands of gift cards in our system.

Having said that, in development, it's super nice to be able to create addresses with +'s in them.


What you say is not untrue, but it's still bad advice to do it -- a security red herring. First of all, you don't know that 100% of mail servers ignore characters after the +, so you can't safely strip those characters or you might not end up with a usable email address. That goes double for stripping the dots/periods, which gmail ignores but many other mail servers do not.

On top of that, it's just as easy to set up a catchall email address -- an email box that accepts all mail for a domain, literally anything@mydomain.com. So a malicious actor could sidestep this security attempt with minimal effort, but it still inconveniences legitimate users despite being worthless from a security perspective.


True, true. As I mentioned below, in my case, it was even usernames, just entering you email for a free gift card. The attacker actually used dots with a gmail address.


There are soooo many ways to easily game the email side of it that you would be better off using other means of detecting uniqueness (rate limit per IP address, rate limit per hash of IP address and user-agent)


>It's way easier to write a script to generate thousands of variations on the same email address than to sign up for a thousand different accounts.

It's just as easy to write a script to use ephemeral hosts that you don't need to sign up for. Things like Mailinator.

All it does is irritate people like me who use +words as prefilters for email (and to see which companies are selling my email/user data).


Fair enough! In my case it wasn't actually usernames, just entering an email address through a phone company for a free gift card from my old company so yeah, my point is moot.


That's all fine, but except in pretty specific circumstances you're going to have valid reasons to want multiple accounts for a single email address. Kind of a crazy scale issue, but one example is wanting your AWS Account to be separate from your Amazon Retail account, even though they use the same underlying account store it's a good idea to use separate accounts even if they're tied to the same email.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: