1

So presuming a username/password authentication system (not an SSO) if you register a new user, what's the disadvantage of logging them in before verifying their account by email?

Let's presume that by logging them in they won't have access to sensitive content, or the ability to do something like charge a credit card.

Most software I've encountered does. "click register" -> "fill form" -> "send email" -> "activate account" (sometimes allowing concurrent login) -> login.

what I'm trying to figure out is if there's a security hole from basically taking a login form (you gave me a username/password) "click register" -> (account is created and you're logged in); or "click register" -> "fill form" -> "confirm and log in".

Obviously there are user experience advantages/disadvantages, but I've been trying to figure out if there are security implications of doing this. The only only security implication I can think of are SPAM accounts which is where someone is creating users automatically.

I'm just trying to ensure that I'm not making some mistake like not using a nonce in a password reset link (unrelated). Like maybe there's something security related that I don't know that I don't know.

xenoterracide
  • 322
  • 1
  • 2
  • 11
  • 3
    I think you need explain your problem in more detail and/or provide more context. As it stands now I don't understand what you are asking at all and also if this is a real life problem or just some constructed problem. – Steffen Ullrich Aug 18 '16 at 05:03
  • 1
    OP seems to ask about the possibility to give a newly-created user account permissions to use a system before their email is verified; just like the StackExchange model. The problem is that it's case-by-case "business" decision. Some systems might not require the verification, some might not even require user registration, yet others will verify user's age by requesting their credit card number. It's not related to general infosec and the question is not specific either. – techraf Aug 18 '16 at 05:25
  • I updated the question, maybe it makes more sense, @techraf is basically right. I'm basically trying to make sure that this idea I'm having isn't hair brained by some security issue that I'm not thinking of. – xenoterracide Aug 18 '16 at 12:55
  • It's pretty common these days that sites will let you login with an unverified email address (or phone number, etc.) but insist on verification before allowing certain features - such as posting to a forum. – paj28 Aug 18 '16 at 13:24

1 Answers1

4

You are introducing a user enumeration flaw into your system.

That is, any attacker can find out if bob@example.com is a user on your system by completing the registration process.

This is useful to an attacker for two reasons:

  • As per the article linked above

    As an attacker if I can use your login or forgotten password page to narrow my list from 10000 targets to 1000 targets, I will.

  • In a phishing campaign, the attacker knows exactly who to send their emails to.

There is also a privacy issue, especially if your site is something sensitive like Ashley Madison.

If the above is a concern to you, you can mitigate by requiring the user to acknowledge the activation email first. See this answer.

If not, then as you are not allowing them to access sensitive content or actions, there is little extra risk. If you were, then you could simply have a flag in the database: EmailConfirmed = 1 or 0, which will let your system know whether they can trust that the email address is genuine.

Also, not verifying users can be an annoyance when an email address is mistyped or purposely entered that of another person, in that the account gets squatted and the real user cannot then register their own account.

The real user of the account can sometimes regain control by completing the password reset process, although their account will then be tainted by whatever the previous occupier has setup. Again, this depends on the system but if there are sensitive settings such as extra recovery email addresses or access keys, or other active sessions, then there should be a way for users to reset their account to a fresh state after any squatting incident.

The other thing that may make reset tricky is if two factor authentication is employed. Any password reset by the real email address owner would be hindered due to lack of the second factor being available. In this case, it would be much easier to validate email address at point of signup instead as things can get complicated otherwise.

Community
  • 1
SilverlightFox
  • 33,408
  • 6
  • 67
  • 178
  • and this is why I asked this otherwise seemingly silly and security unrelated question. I'm familiar with the concept of enumeration attacks, my guess is the alarm was going off in the back of my head but I couldn't remember why. thanks for the good answer. – xenoterracide Aug 23 '16 at 02:15