Hmm... But why should the 'password' URL be so similar to the mail address. Doesn't this mean that if I know your mail address, I can fairly easily guess the secret URL to let me see that inbox?
(Granted that in the most common use case, if I know the email address, I probably know what's in the inbox, since I am likely the person who sent the message. But still, why not make these 2 different random strings?)
A couple more examples:
1QjYwHNM vs 1QjYwHOc
1Qk07A9x vs 1Qk07A9X
Yeah, the developer is going to want to fix that quick smart. At a complete guess they are two strings being generated in quick succession from the same seed, and they both happen to be very close. End result is that I can guess your email.
Also email addresses are in really tight set and easily guessable. So that system should be fixed in general. Not just for address / password issue. But also getting proper address distribution.
Addresses and URLs seem to be timestamp strings that change every microsecond, with the URL code being generated just before the email address. This makes it trivial to read someone's mail if you know their address.
You can verify this by repeatedly clicking 'Delete this address', which issues you a new mail box. The address string can be thought of as a number that is always incrementing, with the 'digits' drawn from [0-9a-zA-Z]. (So base 62.)
The URL number is always (sample size ~100) just a little smaller than the email number, but not by a consistent amount. Often about 20-30 steps away, but sometimes as much as 600 steps away (depending on server load?).
The number seems to be generated by a clock rather than a counter, since the rate at which the counter increases is very steady. The 5th digit from the right increments every 15 seconds, suggesting that there are (62^4)/15 ~= 0.99 million unique strings per second. Maybe the counter is just using the time in microseconds, and converting it to a string?
Issues raised:
1 - If I know your address, I can now guess the 'secret' URL to read your mail in a trivial number of guesses (certainly less than 1000). There doesn't seem to be any throttling of attempts on server side (I was able to manually cycle through ~30 invalid URLs fairly quickly).
2 - Email addresses 'leak' the time that they were created. (Not a clear security risk, but could be problematic in some cases)
3 - As Sami_Lehtinen says, addresses are guessable based on signup time, but given that these are disposable addresses, I'm not sure that's a big problem (who cares if a spammer guesses it). Also, even if there is a new user signing up every second, the success rate for guesses will be 1E-6.
Thanks for the hint! I already took a look into it. There are indeed only 676 options to guess the secret in many cases. We do block brute force attacks, but given that there are only 676 possibilities, you could just run the brute force tool at a very low speed.
