We have looked into this issue and have confirmed this is not a security hole. No personal information is revealed to users other than through obscure links that are only available to the true site owner.
This url is only available:
1. In the emails we send to users to claim their site. So only the true owner receives these
2. On the Posterous site itself but only when we know it's the site owner (based on cookies and other tests)
That Google search does include a bunch of unclaimed sites. However, none of those sites will include the secret hash, and therefore none will expose the email address.
The fact that we include the email address in the form is definitely odd, and we're removing that now. But nonetheless, it's only visible to the person who created that site, behind obscure URLs.
We're very confident in the system we have built. While making things super simple for the common user, we never forget that our users care a lot about keeping their information secure.
Thanks for bringing this to our attention. We always need to be one step ahead of the hackers/spoofers, and we thank the Hacker News community for keeping us on our toes!
We have looked into this issue and have confirmed this is not a security hole. No personal information is revealed to users other than through obscure links that are only available to the true site owner.
This url is only available:
1. In the emails we send to users to claim their site. So only the true owner receives these 2. On the Posterous site itself but only when we know it's the site owner (based on cookies and other tests)
That Google search does include a bunch of unclaimed sites. However, none of those sites will include the secret hash, and therefore none will expose the email address.
The fact that we include the email address in the form is definitely odd, and we're removing that now. But nonetheless, it's only visible to the person who created that site, behind obscure URLs.
We're very confident in the system we have built. While making things super simple for the common user, we never forget that our users care a lot about keeping their information secure.
Thanks for bringing this to our attention. We always need to be one step ahead of the hackers/spoofers, and we thank the Hacker News community for keeping us on our toes!