Hello and just noticed that an invasion attack attempt happened in the WorkFlowy servers. We don’t want to manually do this tedious process either, especially given the spoofing risk. We do plan to provide a way to automate changing emails. If you can configure your own domain name to properly advertise SPF and DKIM records, you can be assured that nobody will be able to spoof your emails as all of modern internet email systems will verify the SPF and DKIM records. In either case, this is the industry-standard authentication system, which did validate your original email. In contrast, Gmail, for example, has a properly configured SPF and DKIM record (which I can see and verify, such as your original email sent from (not real). Since this is what you’ve purposefully configured for your email address, the email security protocol is basically telling us that any email (spoofed or not) is real and we should believe that it is actually sent from you. This is the equivalent of saying ANY server on the internet can send emails as “ ” (not real) and spoof your email address. ![]() It seems that on “ ” (not real), you have an SPF record set to “v=spf1 mx a ?all” and a DKIM which is not configured. Given you’re security-sensitive, I double-checked your email provider. Your original email change was approved because your email is verified to be from “ ” using the two security measures. Most email services such as Gmail, Yahoo, etc all strictly follow the SPF and DKIM protocol which allows us to put spoofed emails straight to spam. Our systems rely on the SPF and DKIM checks to validate emails. Running a business in the EU, this would not comply with the GDPR regulation at all.) (I am not storing any business data in Dynalist. I sent a message to the support and their reply was: “We have not experienced anyone taking our trust to their advantage yet.” I lose access to my account and they have all of my personal data which I have stored in Dynalist. Then the login gets changed to their new address and finally they click on “Request password reset”. So any hacker who wants to hijack my account, with all my personal or business data, simply needs to spoof an email sender address. ![]() The process is that I need to send an unprotected email to support (any hacker can easily spoof the sender address) and I simply send them the login email of the account and the new email address. ![]() If I want to change my login email address, there is no way to do that online within my secure browser session while I am logged in. It does not store any personal data.I have just found what I believe to be a serious risk for account hijacking at Dynalist: The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. The cookie is used to store the user consent for the cookies in the category "Performance". This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". ![]() The cookie is used to store the user consent for the cookies in the category "Other. The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". The cookie is used to store the user consent for the cookies in the category "Analytics". These cookies ensure basic functionalities and security features of the website, anonymously. Necessary cookies are absolutely essential for the website to function properly.
0 Comments
Leave a Reply. |