Page MenuHomePhabricator
Create Task
Maniphest T12643

Make it harder for users who blindly click any link in any email they receive and then click confirmation buttons on the following page without reading anything to verify accounts they don't actually own
Open, WishlistPublic
Actions

Description

We have an open phabricator instance at https://dev.gnupg.org/ with these settings:

auth.require-approval	false	
auth.require-email-verification	true

Currently the process for new users is:

  1. Register a new account (with username, password and email)
  2. Click the link in the welcome email
  3. Have fun with phabricator

Here is what an attacker could do:

  1. Attacker mass-registers a number of accounts
  2. Some confused recipient clicks on the verification link.
  3. The same confused recipient clicks on the "Verify your account button" on the verification page.
  4. The same confused recipient abandons the site (forever).
  5. The attacker logs into the site with the password that is only known to him.

This allows the attacker to post spam without having a valid email address.

Of course, getting a throw-away email address is much easier, so this is not at all a likely scenario. Nevertheless, I think I have seen all of the above steps except for the actual spamming, so users clicking on random things in emails is actually a thing.

It is very easy to prevent this scenario entirely: Don't log the user in automatically after verification, but require the password first.

A less effective counter-measure is having a captcha. (We don't want to use recaptcha due to privacy and other issues, so we have to roll our own).

Sorry that this is a somewhat far-fetched scenario. That's just a testament to how good Phabricator already is :)

Related Objects

Event Timeline

lambdafu created this task.Apr 25 2017, 5:39 PM
epriestley triaged this task as Wishlist priority.Apr 25 2017, 6:28 PM
epriestley added a subscriber: epriestley.

I suspect these might be "security researchers" who are trying to demonstrate how Phabricator is rife with "critical vulnerabilities".

Spammers can much more easily use a temporary/disposable address (and could automate this), and spammers we've seen in the past are happy to manually click verification links and are not deterred by auth.require-email-verification (see T11989).

We can maybe make this flow more clear, but I don't think it's particularly misleading in its current form. The suggested remedy (require re-entry of the password) won't work in the general case because many accounts do not have a password (instead, they use OAuth, LDAP, etc).

epriestley added a comment.Apr 25 2017, 6:30 PM

(Also, registration already requires filling out a CAPTCHA if CAPTCHAs are enabled, so adding a second CAPTCHA on this flow shouldn't meaningfully raise the barrier for attackers.)

Screen Shot 2017-04-25 at 11.29.50 AM.png (922×1 px, 97 KB)

epriestley renamed this task from require password at email verification to Make it harder for users who blindly click any link in any email they receive and then click confirmation buttons on the following page without reading anything to verify accounts they don't actually own.Apr 25 2017, 6:55 PM
aklapper added a subscriber: aklapper.Jun 17 2018, 11:13 PM
Phabricator · Built by Phacility