Email addresses revealed!

[Skeptic believer]

Hi
I wonder if anyone can explain what happened - or is it a psychic phenomenon?

There is a blog, which I regularly read, which is quite popular in its field.
The exact nature of it probably is not relevant, except that it is a bona fide blog, written by a known writer.

Yesterday, he had included exact copies of several emails, in his blog, except that he had removed the personally identifiable information.
Instead of email addresses, the ‘to’ and ‘Cc’ entries contained the first few letters of the addresses sent, but then followed by X’s.

I copied the emails from the blog, and pasted them onto my word processor, intending to read them later.
Then I noticed that instead of just X’s, several email addresses had been revealed!
But the original from the blog which I copied it from , only had X’s (!).

I wasn’t imagining it, and have saved it, so can prove what happened.

I now have copies of several personal email addresses which the author didn’t intend to be made public

The funny thing is, that I have continually tried to reproduce what happened, but now, every time I copy the emails to my word processor, the email addresses are just X’s, as in the blog!

The only thing I can think of, is that, in the past, I have tried to copy something from a website, and when I pasted it, there was a lot more information than I had copied!
So it seems that when you use ‘copy’, it sometimes copies more than just the text!
But I am confused because I can’t reproduce this phenomenon, and he obviously didn’t intend the email addresses to be known.
Does anyone have a non-psychic mundane explanation for this??

 

[Sam.I.Am]

That can work with passwords too. For example my password here at the JREF is *********** I can read it plain as day but you will only see asterisks, but sometimes when you copy it over to a word processor you can read the entire string! Try it sometime. Just type in your password and nobody else will be able to see it but you!

Don't do this!

 

[rjh01]

How about a link to the blog? One way it could be done is via html.

 

[Morrigan]

Without a link to the blog, my theory would be that the blog owner used javascript to obfuscate the email addresses, but they were still rendered as non-obfuscated in the original html source, and sometimes copying from a browser into a word processor will keep some formatting elements and ignore the javascript rendering.

If you can't reproduce the copy/paste anymore, it's probably because the blog owner changed his script to better obfuscate the email addresses (presumably because he noticed the problem, or someone told him about it).

There are probably other explanations but I think mine is as good as any.

 

[Skeptic believer]

Morrigan, rjh01

Thankyou for responding.
I don't think it's right to quote the link in public, but I have sent pm's

 

[rjh01]

Thanks for the PM, including the link. I cannot see how I can duplicate it. I do not think I can add anything to Morrigan's post, except to agree with it.

 

[Skeptic believer]

What I thought was peculiar was that I first looked at the emails several hours after they had been originally posted.
When I noticed the 'difference' I tried to duplicate it sraight away, and continually after that.
So if he altered it in some way just at that time, it seems a bit of a coincidence

 

[Dancing David]

So it seems that when you use ‘copy’, it sometimes copies more than just the text!

So if you copy the web page now, it no longer does this?

That means they edited out the hyperlinks. Which they left intact at first.

 

[Beerina]

That can work with passwords too. For example my password here at the JREF is *********** I can read it plain as day but you will only see asterisks, but sometimes when you copy it over to a word processor you can read the entire string! Try it sometime. Just type in your password and nobody else will be able to see it but you!

Don't do this!

I've seen that, too, and used it. People who write password systems should nowadays be aware of this when overriding a text entry form -- disable copy but do allow pasting.

I have to wonder about using a system text box, though, even if you do override display (showing *s) and disallow copy. Is it still in there? There must be programmatic ways to get at that data -- after all, the program using the password will pull it out when you hit Ok.

Best to just write your own and not rely on a system text box. Or use a special system "password" box and let the OS worry about the security.



We use Lotus Notes at work (yes, it still exists.) Their password form is interesting -- when you type letters, it swaps them for Xs, but it spits out 2-3 Xs per letter typed. This is to make it harder for people looking over your shoulder to be certain how long your PW is.


They also do another interesting thing -- after 3-4 letters, they have an animated key ring changing keys with each key press, alongside. I can only guess this was intended to give you little mental rewards for longer, thus harder to crack, passwords.

 

[Almo]

http://bash.org/?244321

This only tangentially related, but so funny I thought I'd post it.

 

[JimOfAllTrades]

So if you copy the web page now, it no longer does this?

That means they edited out the hyperlinks. Which they left intact at first.

I think Dancing David has it correct.

When the emails were copied into the blog post, the email addresses were converted to text with a hyperlink that allows you to click on them to automatically start your email program and send an email to that address.

The blog poster then edited the visible email address and typed over part of it with xxxxx, but neglected to change the hyperlinks.

When you cut and pasted from the web page into your word processor, it saw the hyperlinks and displayed them for you.

At about this time the blog poster realizes his mistake and removes the hyperlinks, so when you try it again only the plain text comes across.

Nothing magic.

 

[Bell]

http://bash.org/?244321

This only tangentially related, but so funny I thought I'd post it.

Someone tried that here on this forum a long time ago. He started a thread inviting members to post their passwords and said that they would show up as asterisks. He got banned over it.

 

[This is The End]

Someone tried that here on this forum a long time ago. He started a thread inviting members to post their passwords and said that they would show up as asterisks. He got banned over it.

Like post #2 of this very thread?

 

[rjh01]

Someone tried that here on this forum a long time ago. He started a thread inviting members to post their passwords and said that they would show up as asterisks. He got banned over it.

Like post #2 of this very thread?

I remember that. However I cannot find anything on the issue. No ban notice or the thread involved.

 

[Bell]

I remember that. However I cannot find anything on the issue. No ban notice or the thread involved.

Deep storage maybe?

 

[Bindamel]

becomingagodo. I remember because it was one of the few bannings here that felt wrong to me. He was just a kid having fun.


Sam.I.Am's does have the smiley, and I suspect that makes a world of difference.

Becomingagodo?

No-one could ever sufficiently explain what a godo was, or why he might want to become one.

He was banned for password phishing.

 

[Sam.I.Am]

becomingagodo. I remember because it was one of the few bannings here that felt wrong to me. He was just a kid having fun.


Sam.I.Am's does have the smiley, and I suspect that makes a world of difference.

Plus if you quote the post (or simply highlight it) it clearly says "Don't do this!" right after the winking smiley.

It was a joke but I didn't realize that someone had actually tried to phish passwords here using something so obviously wrong on its face so I'll just apologize now to anyone who took me seriously and say again.

Don't Do That! Passwords don't work that way.