AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
Workflowy com login9/19/2023 Updates to the mobile apps are pending review. Update: We have fixed the mobile and desktop apps to allow logins and signups again. WorkFlowy – 20 Mar 21 Security Notice: If you can’t log into Workflowy right now, or you are. I have a strong password, not used anywhere else, always logoout from my sessions when I’m not using it but it still terrifies me the possibility that something like this could also happen. This is really worrying and a critical concern. I don’t use WF anymore and I don’t regret any day having switched to Dynalist, but I still occasionally receive blog news updates from them.Ĭonsidering Dynalist has also very sensitive data, and STILL does not offer 2FA / MFA (like Workflowy), I wonder if this could be a good opportunity to reinforce this idea / project. It forced them to disconnect all user’s sessions and advise them to change their passwords if the same pwd is used in different site(s)… More details can be found on the link below. Hello and just noticed that an invasion attack attempt happened in the WorkFlowy servers. We don’t want to manually do this tedious process either, especially given the spoofing risk. We do plan to provide a way to automate changing emails. If you can configure your own domain name to properly advertise SPF and DKIM records, you can be assured that nobody will be able to spoof your emails as all of modern internet email systems will verify the SPF and DKIM records. In either case, this is the industry-standard authentication system, which did validate your original email. In contrast, Gmail, for example, has a properly configured SPF and DKIM record (which I can see and verify, such as your original email sent from (not real). Since this is what you’ve purposefully configured for your email address, the email security protocol is basically telling us that any email (spoofed or not) is real and we should believe that it is actually sent from you. This is the equivalent of saying ANY server on the internet can send emails as “ ” (not real) and spoof your email address. It seems that on “ ” (not real), you have an SPF record set to “v=spf1 mx a ?all” and a DKIM which is not configured. Given you’re security-sensitive, I double-checked your email provider. Your original email change was approved because your email is verified to be from “ ” using the two security measures. Most email services such as Gmail, Yahoo, etc all strictly follow the SPF and DKIM protocol which allows us to put spoofed emails straight to spam. Our systems rely on the SPF and DKIM checks to validate emails. Running a business in the EU, this would not comply with the GDPR regulation at all.) (I am not storing any business data in Dynalist. I sent a message to the support and their reply was: “We have not experienced anyone taking our trust to their advantage yet.” I lose access to my account and they have all of my personal data which I have stored in Dynalist. Then the login gets changed to their new address and finally they click on “Request password reset”. So any hacker who wants to hijack my account, with all my personal or business data, simply needs to spoof an email sender address. The process is that I need to send an unprotected email to support (any hacker can easily spoof the sender address) and I simply send them the login email of the account and the new email address. If I want to change my login email address, there is no way to do that online within my secure browser session while I am logged in. I have just found what I believe to be a serious risk for account hijacking at Dynalist:
0 Comments
Read More
Leave a Reply. |