I've built a simple script to go through all 76k email addresses and call the API endpoint to see if they were available and thought no way it's gonna work. It was 2AM so I ran the script and went to bed. Using just a single thread and a single network interface, no proxies, no Tor, doing 5 reqs/s, the script went through all the emails in 4 hours. Obviously, the
username-check API was missing any rate limiting, or throttling, so later that day, on June 25, 2016, I reported the bug to a friend of mine working at the Seznam.cz CSIRT team. Still no rate-limiting on the username check API as of March 25, 2017, still some 611 accounts available for registration.
In summer 2016, the script yielded 629 available Seznam.cz accounts, roughly 0.8% of all Seznam accounts from the LinkedIn dump. I could go and register these accounts and ask LinkedIn to send me a password reset link for each of them. And of course, I did, I wanted to know if these are real LinkedIn accounts.
I'd registered 7 random addresses, then asked LinkedIn to send me the reset links. The email with the link contains a footer message, that's
your name and professional headline to help you distinguish authentic LinkedIn emails from “phishing” email messages, so I could search these people by name on LinkedIn and have concluded these are real people. I didn't reset any password, and deleted these Seznam.cz accounts immediately after receiving the reset link.
Quite a lot of the available addresses are obviously typos (like let's say
email@example.com), the API will return
"available": false when you correct the typo. But these mistyped emails are still associated with real LinkedIn profiles, though probably not heavily used ones.
With hijacked accounts, the attackers could scam their contacts, or do whatever they actually want.
If you're an email provider, like Seznam.cz, you should not delete inactive accounts and you should update your Terms and Conditions to actually officially say that you don't delete, so people can get serious with their emails. I mean no sane provider would delete existing accounts, right? (Note: Seznam.cz will also delete accounts
which having been created, 14 days after creation still has not been used once, but that seems alright to me.) Also, throttling your username check API would make sense.
When building a service without sign-up email verification, you can minimize domain typos by adding Mailcheck to your sign-up forms:
Mistyped domain on Kickstarter sign-up page
By the way, Google lets you choose what happens to your account when you stop using it with Inactive Account Manager.
The spokeswoman also commented that Seznam.cz cannot take responsibility for mistyped addresses when signing up for 3rd party services. That makes sense, of course, and if you want to be sure your users are using correct email addresses for registration you need verify them by email.
User check API throttling does not make sense according to Seznam, they say rate limiting could be bypassed using multiple IP addresses, event though it would take longer.
That's correct, although for me, using tens of IP addresses would make this short experiment absurdly expensive. No need to buy IP addresses, you get tons of them for free due to default router credentials, Tor, and VPN, but I'd need to automate the hell out of this and that would take time. And time's money, so I'd probably just do something more useful instead