Six-Year Study of Emails Sent to Unverified Addresses.

In addition to a username and password, more and more websites are requiring an email address during account creation. But often, users are granted full access before email verification, allowing them to create accounts using others’ email addresses. As a result, emails sent to such users will instead end up in the true owners’ inboxes. These emails can contain private data ranging from personally identifiable information to banking details and social security numbers. Additionally, the true owner can reset the password and access the account directly. But regardless of potential malicious action, both the user and the true owner face negative consequences. In this paper, we enumerate the prevalence of this shortcoming by manually analyzing account accessibility before email verification on leading United States websites—72% of them failed to restrict potentially harmful actions. Then, we used our rare opportunity to use a short, dictionaryword Gmail address to analyze unverified emails over the course of six years. We categorize the exposed private data and reveal user risks. We aim to bring attention to the dangers of this security flaw and call for the development of new privacy policies.