Note: This is based on a true story!
L & # 39; s history:
Alice and Bob are good friends and everyone knows the personal e-mail address of the other person and communicates with her to use it. Suppose that they are
email@example.com for Bob and Alice, respectively.
Bob is a member of an online community (a forum, for example) and he has put another email address of him, for example
firstname.lastname@example.org, on his profile so that other users can contact him (this online community does not have an integrated messaging system that users can contact). In addition, Bob has configured
email@example.com as an email recovery address
firstname.lastname@example.org. And he has not (intentionally) added to his profile any other personal information indicating that this account belongs to Bob.
Alice knows that Bob is a member of this online community, but she does not know which account belongs to Bob. She suspects that profile with the email address
email@example.com it's Bob's, but she's not sure. In order to confirm her suspicions, she proposes this plan:
She goes to the Gmail website, enter
firstname.lastname@example.org as an e-mail address and supports
Forgot your password? button. Then, the following message is displayed:
To obtain a verification code, first confirm the recovery email address you added to your account: "email@example.com"
firstname.lastname@example.org then the following message will appear:
Please enter the verification code sent to
That's all! She discovers that the account and e-mail address belong to Bob. She is very excited and sends the following message to
Ha ha! STATEMENT!
Well, Bob is very angry with that. He claims to have followed all the safety instructions and made an effort not to disclose any of his personal information and identity. On the contrary, he blames the email provider (eg, Gmail) and claims that they should have designed the account recovery mechanism so as to protect the identity of the person behind the email address. messaging.
On the other hand, Alice, while proud of her ingenious plan, thinks that in this case there is an inevitable compromise between convenience and security. She says Bob has set up the recovery email so that he does not worry about his password, which has the side effect of revealing his identity.
Who is right here? If you think Bob was wrong, what should he have done to secure his identity and email (that is, keep him recoverable)? And if you're on Bob's side and think it's the messenger's fault, how would they set up the recovery mechanism?
Also, note that I do not insist that only one of the parties is right and that the blame is on the other side. It may be that both parties are right or wrong. If you have other points of view, I would be happy to hear them.