31

Is it safe to use e-mail addresses inside URLs? I mean lets say a web-application has a registered user "Bob" and Bob has been registered by using his email => Bob@hisemail.com. Now what's your opinion, is it safe for the application to accept and work with GET requests on //application.com/Bob@hisemail.com and the same kind of URLs for every user?

unor
  • 92,415
  • 26
  • 211
  • 360
Kostas
  • 1,903
  • 1
  • 16
  • 22

4 Answers4

34

Basically it depends on if you love or hate your users. When you do what you suggest, these URLs will spread on HTML pages on the web. Not necessarily confined to your own site, because people may link to it.

When your page gains enough traction to become important, crawler authors for spam bots will notice and add rules to their crawlers to extract the email address from URLs. It might even not be necessary, because some dumb regexes might already find the email without adaption.

Then, your users' email addresses will land on spammers' lists and get "unwanted adverts", euphemistically speaking. (These email lists will be rather high-valued, too, because they are "verified" to be real, existing ones.)

What you're doing here is giving away a private bit of identification your users trusted you with. Never ever allow that to be in public, unless your users told you so!

From a technical perspective, you can just go for it.

Boldewyn
  • 81,211
  • 44
  • 156
  • 212
  • Well your answer seems logical and very true. But the whole thing started because I love my users and I don't want to give them URLs like //webApp/12345 or //webApp/users/12345 . Noone likes or remembers IDs :P – Kostas Dec 05 '13 at 12:58
  • That's true, and I +1'd the question, because it's a good one. But the problem persists, that especially email addresses are in fact quite a personal bit of information. That's why many services do now ask for email _and_ username, let you log in with both but display only the latter. – Boldewyn Dec 05 '13 at 13:32
  • You can see, how sensible emails are, by looking at Facebook. Yes, _that_ privacy-is-20th-century website. If you try to mail `user@facebook.com`, their mail server checks, if your mail address may do that and rejects the mail, if you're not a friend with the email's owner. – Boldewyn Dec 05 '13 at 13:35
  • 2
    The answer is assumming that the URL in question is crawlable (appears on a public html file). I can still love my users and have an API endpoint that takes an email in the path – fjch1997 Jan 25 '21 at 19:41
  • 3
    Not in the least. The trick works backwards, too. Any malicious actor can obtain a list of millions of existing e-mail addresses for a couple bucks. Then he can start querying your service with said list to find the ones, that give a positive response. And suddenly he has a list of e-mails, that also have an account on your site. – Boldewyn Jan 25 '21 at 19:48
2

I think that this is not a good idea. Firstly, email contains special chars that needs to be URL encoded so they don't get mixed up with system characters (for example, for FTP servers you can pass username like this ftp://user:pass@test.com).

Also, I would not like it from user perspective as in this case my e-mail would stay in browsers history.

Kaspars Ozols
  • 6,967
  • 1
  • 20
  • 33
  • 1
    In a solidly coded application, the first point is invalid. (Also, the `@` doesn't need encoding after the first `/`.) The second one _is valid_, though. – Boldewyn Dec 05 '13 at 12:49
0

In this case, the email address can be used with request parameter as GET Method, e.g:

// application.com/file_name?email=Bob@hisemail.com

This option is more safety and probably used.

Mouhamad Ounayssi
  • 41
  • 10
  • 1
    Well i am not asking how to do it but thank you :) I prefer the .../email format cause it seems cleaner. The thing is what are the consequences in the long run? Words like spam, security issues and stuff like that come to my mind but i'd love some opinions by more experienced people. – Kostas Dec 05 '13 at 12:45
  • When we use the rewrite mode, so it's not preferred to use the special characters in the url , so as your form to use, i thing it's not properly taped or cleaned – Mouhamad Ounayssi Dec 05 '13 at 13:16
0

One more disadvantage of using email addresses in GET request URLs is that such requests tend to be considered suspicious by security tooling.

For example, we see that Web Application Firewall in Azure Application Gateway blocks many such requests:

{
  operationName: "ApplicationGatewayFirewall",
  category: "ApplicationGatewayFirewallLog",
  properties: {
    requestUri: "/api/users/getuserbyemail/testuser@gmail.com",
    ruleSetType: "OWASP_CRS",
    ruleSetVersion: "3.0.0",
    ruleId: "920440",
    message: "URL file extension is restricted by policy",
    action: "Matched",
    details: {
      message:
        'Warning. String match within ".asa/ .asax/ .ascx/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/" at TX:extension. ',
      data: ".com",
      file: "rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
      line: "1056",
    },
    policyId: "default",
    // ...
  }
}
Paweł Bulwan
  • 8,467
  • 5
  • 39
  • 50