0

Quite often in order to active my account on a website I'll receive an email with this:

https://web_site.com/access?uid=1234&secret=456789&login=0123456789&mid=aabbcccdd

Why user id, login, mid or other addition parameters? Why not only a secret activation code?

for example, stackoverflow:

https://stackoverflow.com/users/signup-finish?email=my_email.com&name=my_name123&token=fdsafdsfdsfds&authCode=fdsafdsfdsfds
Incerteza
  • 2,177
  • 3
  • 15
  • 22

2 Answers2

1

Seems to be a poor practice. All they need is a unique activation code that maps to your new account.

Some of them (e.g. secret=) can be treated as ephemeral and hence don't increase the risk by much, but in general limiting the exposure to any information / internal structure is always a good idea (despite all arguments against security by obscurity) - especially when used along with other security measures. There is also the additional risk of additional potential injection points with every additional parameter.

All considered, it is not a practice that I'd recommend.

Sas3
  • 2,638
  • 9
  • 20
-1

It's simply a way to correlate your account and the activation token. An arbitrary token passed to a system means the system needs to search every token to:

  • Find it's association, or
  • Tell the user it couldn't find it

By using the link to tie public information to the token, the back-end can now look directly at your account and respond Yay or Nay.

Using email, and username with the token also allows the company to audit better. If for whatever reason, and attack is trying to brute force a verification system, it would be pretty suspicious if bob_jane@example.com, using id bob_jane, tried 5 different verification tokens.

Shane Andrie
  • 3,780
  • 1
  • 13
  • 16
  • I'm somewhat dubious about this answer. If you have an index on your token column, it is no harder to lookup the record by token than it is to lookup the record by email and then verify the token. Granted, that requires one more index, but that is hardly ever an issue. Is brute forcing account recovery tokens an actual attack vector? The entropy on a recovery token should be so high as to be infeasible to brute force, I would imagine. You'd be better off just brute-forcing the login. I would expect the account recovery to have protections against brute-force though. – Conor Mancone Jul 27 '17 at 15:38
  • When you pass the token back to the system to verify the account, how does the system know what index it looks at? You could use the index, but your basically doing the same, expect exposing the index publicly. I suppose the token itself could be a sudo token, that when passed back to be verified can derive index and key. – Shane Andrie Jul 28 '17 at 19:54