Yfrog doesn’t want to admit their email upload feature is badly designed
Yfrog has released a statement called “Yfrog Security Update” which is somewhat misleading and explains the current status of the email upload feature.
Yesterday yfrog noticed this feature was not secure and implemented a couple of measures. The first one was to make the yfrog email address less prominent. Before Wednesday, yfrog used to show this email address in the upper right corner for a logged in user. Making it easy for anybody looking at your screen to copy this email.
Then yfrog disabled the post by email feature. Posts by email would result in an error email message being sent back to the sender notifying them the feature is disabled.
Tonight, the yfrog generated email address is not shown at all, and the feature seems to still be disabled.
Yfrog’s security update seems to indicate that while this feature is currently disabled, they plan on changing their scheme for generating email addresses and re-enabling the feature.
I’m going to assume they’re going to generated a key that is more complex, at least including numbers. They’re calling this an “email PIN”, I guess to make it more obvious that it is not to be shared. I assume the email will be similar to what twitpic uses (which I believe is just numeric).
However I do take issue with this statement in the email;
Why we Disabled Email Upload
At yfrog, we constantly evaluate our internal security mechanisms across all the facets of our service. Even though our email upload feature has not been compromised or broken into, we are taking this opportunity to evaluate the feature and secure it even further.
yFrog is not really being honest here. Their email upload feature has been clearly “compromised”. We clearly showed on here on LGF how easy it is to derive these email addresses using the previous scheme. Their security update message confirms this, that’s why they’ve disabled this feature, and they are very likely changing the way this email is generated.
If they insist on this feature, I also expect them to at least do the following:
* Invalidate ALL existing yfrog emails and regenerate them for existing users
* Allow users to be able to change (or have yfrog regenerate) their yfrog email, in case the user thinks they’re email has been compromised
* Allow users to opt-out of this feature
* Only accept email messages from a given email address or phone number (via MMS)
As Sony’s PSN issue has shown us, it’s better to be honest with the public earlier. Yfrog should just admit that the scheme they used for this feature was flawed and that they’re working on a new one that is more robust.
Unfortunately, I still think that posting to an account with this “secret email” address is still an unsafe way to operate. I think an honest debate needs to happen to settle if social media sites should continue using this feature (for example twitpic and facebook have this feature, although with different email generating schemes).