Posted by Matt, on Tue, 06 Nov 2018 01:14:19 -0500, in thoughts

I've been a user of Freenode for years now, but you wouldn't know it from doing a WHOIS search on my nick "duckgoose" -- my NickServ account is only a few weeks old. This is because I had to recreate it after a my account was compromised and dropped (deleted).

Now it's not Freenode's fault someone was able to get into my account -- because I was dumb enough to use a shared password. However the lack of security with Freenode's NickServ service made it very easy for the attacker to lock me out and delete my account. Allow me to explain how.

On the night of incident I was on Freenode doing what I do best -- nothing of value. My session of procrastination was interrupted when I was disconnected by NickServ. A scumbag ghosted me off my own account!

So someone has my NickServ password and has knocked me off, so what do I do now? This is where the first issue is.

If someone is on your account, then you can't change the password.

Do this test for yourself. Find a user that is logged in to NickServ and try to do a "sendpass" command on their nick. E.g. I did a sendpass request for the nick "pronk" and got the following: -NickServ-: This operation cannot be performed on pronk, because someone is logged in to it.

Why?! I was not able to request a new password because the attacker was logged in to my account and he had changed the password. He didn't have access to my email so if I could have set a new password (using sendpass) I could have easily solved the problem myself.

So I couldn't change the password. All I could do was sit and watch him pretend to be me while begging staff to help. When I was finally able to get hold of a staff member the attacker already dropped my NickServ account. This is my second beef with Freenode.

There is no email verification for dropping a NickServ account.

Dropping an account is a big deal -- you can't get it restored. I found this out for myself. But why not have simple email verification before dropping an account? It's a pretty easy thing to add, and it would have saved my old account. However this would all be pointless because of another problem...

Email changes are done without verifying the old email

So if I had your NickServ password I could kick you off, change your password, change the email, and then there would be nothing you could to get your account back.

Email updating should not be done without giving the user of the old email address the chance to cancel the request. This is basic account security.