We have an open phabricator instance at https://dev.gnupg.org/ with these settings:
auth.require-approval false auth.require-email-verification true
Currently the process for new users is:
- Register a new account (with username, password and email)
- Click the link in the welcome email
- Have fun with phabricator
Here is what an attacker could do:
- Attacker mass-registers a number of accounts
- Some confused recipient clicks on the verification link.
- The same confused recipient clicks on the "Verify your account button" on the verification page.
- The same confused recipient abandons the site (forever).
- The attacker logs into the site with the password that is only known to him.
This allows the attacker to post spam without having a valid email address.
Of course, getting a throw-away email address is much easier, so this is not at all a likely scenario. Nevertheless, I think I have seen all of the above steps except for the actual spamming, so users clicking on random things in emails is actually a thing.
It is very easy to prevent this scenario entirely: Don't log the user in automatically after verification, but require the password first.
A less effective counter-measure is having a captcha. (We don't want to use recaptcha due to privacy and other issues, so we have to roll our own).
Sorry that this is a somewhat far-fetched scenario. That's just a testament to how good Phabricator already is :)