QotNews
Hacker News, Reddit, Lobsters, and Tildes articles rendered in reader mode.

Deleteduser.com —a $15 PII Magnet

Source: mike-sheward.medium.com
114 points by fanf 23 hours ago on lobsters | 33 comments

Mike Sheward

When is a delete, not a delete? When it’s an publicly routable placeholder.

Ever since the birth of stricter privacy laws like GDPR and CCPA, the apps and services we use have been forced to build functionality to remove folk who no longer wish for their information to be held in the databases and code palaces that have been created in the name of SaaS. But what actually happens when you hit that delete button? More often than not, not a delete.

You see, when a lot of apps and services were architected, they are built to always anticipate adding data — more users, more records, more orders etc. There was no consideration or concept of having to remove that data because of laws. So, when that became a thing, actually, truthfully deleting records could cause big problems. Referential integrity across database tables simply wouldn’t allow it, BI reports would look weird, and there is a very strong chance that if a unique identifier was reused somehow, it would cause a resonance cascade.

So, to get around the problem, a lot of places simply ‘overwrite’ records when they are deleting them. They replace certain fields with garbage so the structure of the data remains, but the human elements are no longer present. At the heart of those ‘certain fields’ are email addresses, the most widely used identifiers on all the web. And that, dear reader, is how we got to this cursed discovery.

I saw a discussion on the internet where someone mentioned that they deleted users in their app by overwriting their email addresses with $somethingRandom@deleteduser.com. Mmm, I thought — I wonder how common of a thought process that is? I bet whoever owns deleteduser.com gets loads of emails!

I decided to check it out, but to my genuine surprise — no one owned deleteduser.com, so now I do.

Shortly after acquiring this new bit of internet real estate, I set up an email listener to see if anything would come in. The domain was owned for less than an hour before I got emails from three different companies who had clearly used ‘deleteduser.com’ as a placeholder in an overwrite, never expecting it to be routed anywhere, but of course, now, it was routable.

As the day progressed, more and more emails flooded in — this was clearly a very common pattern. Many of those emails contained the original PII of the users who had been ‘deleted’. After 24 hours I was able to positively identify 30 different organizations who clearly used this practice in response to ‘right to be forgotten’ requests.

They included:

  • A large chain of gyms
  • A hospitality management platform
  • An HR SaaS tool
  • A delivery service
  • A giant energy company
  • A SaaS uptime tracking platform
  • and my personal favorite — 2 different cybersecurity companies.

In terms of PII breaches, the hospitality management platform is currently atop the leaderboard. It regularly emails summary reports of which guests are in which rooms at which hotel — including full names of those guests, room numbers and check in and out dates.

The giant energy company sends out reports from one of it’s internal systems that contains details about purchase orders to ‘nouse@deleteduser.com’ for some reason.

The delivery company reports share tracking information for delivered shipments, including full contact information for the sender, recipient etc.

The gym begs the deleted user to rejoin them, by name.

The SaaS uptime tracking platform is telling the deleted user that the thing their company monitors is fixed.

Oh, and password reset emails with valid tokens from a organizations Wordpress instance:

So, what is the lesson here? I guess its twofold.

1 — Never rely on anything that you don’t own in your processes. You don’t own deleteduser.com, you never did.

2 — If the entirety of your delete process is replacing an email address with something@deleteduser.com, not only are you doing the bare minimum, you are somehow doing something worse than the bare minimum — because you are willingly exposing PII to some random fella’s domain, and you weren’t doing that before.

For what its worth, I will try and reach out to each of the companies I see in that inbox and point them to this post. I am also planning on sharing information with the relevant authorities. I am being a good guardian of the internet dumpster — but if I had been a bad one, it’s not hard to see how this information that is willingly thrown at my face could be misused.