According to http://trac.elgg.org/ticket/2243 users are logged in immediately after validating email. But it is not secure, because if the user has made a mistake in the email address during registration, the confirmation email will be sent to an incorrect address where another user will receive access to the system by clicking on the link.
It is unacceptable for private networks. I think this feature should be optional, so that the admin could turn it on or off depending on the requirements of a social network.
> According to http://trac.elgg.org/ticket/2243 users are logged in > immediately after validating email. But it is not secure, because if the > user has made a mistake in the email address during registration, the > confirmation email will be sent to an incorrect address where another user > will receive access to the system by clicking on the link.
> It is unacceptable for private networks. I think this feature should be > optional, so that the admin could turn it on or off depending on the > requirements of a social network.
What do other networks do to verify identity? Has this issue ever been
exploited? Seems like a pretty small attack surface.
On Aug 10, 2012 1:28 AM, "Sergiy Kamolov" <sergiy.kamo...@gmail.com> wrote:
> According to http://trac.elgg.org/ticket/2243 users are logged in
> immediately after validating email. But it is not secure, because if the
> user has made a mistake in the email address during registration, the
> confirmation email will be sent to an incorrect address where another user
> will receive access to the system by clicking on the link.
> It is unacceptable for private networks. I think this feature should be
> optional, so that the admin could turn it on or off depending on the
> requirements of a social network.
> What do you think about this issue?
> --
> You received this message because you are subscribed to the Google
> Groups "Elgg development" group.
> To post to this group, send email to elgg-development@googlegroups.com
> To unsubscribe from this group, send email to
> elgg-development+unsubscribe@googlegroups.com
Oh, I should also mention that in general, security issues should be sent
to secur...@elgg.org.
On Aug 10, 2012 8:44 PM, "Evan Winslow" <e...@elgg.org> wrote:
> What do other networks do to verify identity? Has this issue ever been
> exploited? Seems like a pretty small attack surface.
> On Aug 10, 2012 1:28 AM, "Sergiy Kamolov" <sergiy.kamo...@gmail.com>
> wrote:
>> According to http://trac.elgg.org/ticket/2243 users are logged in
>> immediately after validating email. But it is not secure, because if the
>> user has made a mistake in the email address during registration, the
>> confirmation email will be sent to an incorrect address where another user
>> will receive access to the system by clicking on the link.
>> It is unacceptable for private networks. I think this feature should be
>> optional, so that the admin could turn it on or off depending on the
>> requirements of a social network.
>> What do you think about this issue?
>> --
>> You received this message because you are subscribed to the Google
>> Groups "Elgg development" group.
>> To post to this group, send email to elgg-development@googlegroups.com
>> To unsubscribe from this group, send email to
>> elgg-development+unsubscribe@googlegroups.com
> According to http://trac.elgg.org/ticket/2243 users are logged in immediately after
> validating email. But it is not secure, because if the user has made a mistake in the
> email address during registration, the confirmation email will be sent to an incorrect
> address where another user will receive access to the system by clicking on the link.
This isn't a security issue. A "private" network should use an external auth system (e.g. Shibboleth, LDAP), limit registration to a whitelist of email addresses/domains, or alter the confirmation to require the entry of a shared key. You can use Elgg to implement any of these.
That said, I wouldn't be against adding a hook before the login so this could be easily turned off via plugin. Would you like to submit a ticket and a patch to do that?
This is a security issue for sure. "Private" networks do not suggest an external authorisation system is usuable... maybe the term "Closed"network would have been better,
The solution is simple. Let's not auto-login users after verification, but simply redirect them to the login page and let them supply their username and password. Safe and very easy to implement.
> This is a security issue for sure.
> "Private" networks do not suggest an external authorisation system is
> usuable... maybe the term "Closed"network would have been better,
> The solution is simple. Let's not auto-login users after verification, but
> simply redirect them to the login page and let them supply their username
> and password. Safe and very easy to implement.
> --
> You received this message because you are subscribed to the Google
> Groups "Elgg development" group.
> To post to this group, send email to elgg-development@googlegroups.com
> To unsubscribe from this group, send email to
> elgg-development+unsubscribe@googlegroups.com
There's a login event that fires. Register for the event and log the person out if it fires on the email validation URL. Not as clean but requires no patch.
> 2012/8/13 Tom <tom.voornev...@lorinthe.com>
> This is a security issue for sure.
> "Private" networks do not suggest an external authorisation system is usuable... maybe the term "Closed"network would have been better,
> The solution is simple. Let's not auto-login users after verification, but simply redirect them to the login page and let them supply their username and password. Safe and very easy to implement.
> -- > You received this message because you are subscribed to the Google
> Groups "Elgg development" group.
> To post to this group, send email to elgg-development@googlegroups.com
> To unsubscribe from this group, send email to
> elgg-development+unsubscribe@googlegroups.com
> God bless you.
> -- > You received this message because you are subscribed to the Google
> Groups "Elgg development" group.
> To post to this group, send email to elgg-development@googlegroups.com
> To unsubscribe from this group, send email to
> elgg-development+unsubscribe@googlegroups.com
Once an account has been tied to an email account that the user does
not own, the game is over. The person who uses that email account has
control over the account since the password can be reset. Not logging
the user in upon email validation adds an additional step in the
takeover of the account but does not add any additional security.
On Aug 13, 6:58 am, Steve Clay <st...@elgg.org> wrote:
> There's a login event that fires. Register for the event and log the person out if it fires on the email validation URL. Not as clean but requires no patch.
> > 2012/8/13 Tom <tom.voornev...@lorinthe.com>
> > This is a security issue for sure.
> > "Private" networks do not suggest an external authorisation system is usuable... maybe the term "Closed"network would have been better,
> > The solution is simple. Let's not auto-login users after verification, but simply redirect them to the login page and let them supply their username and password. Safe and very easy to implement.
> > --
> > You received this message because you are subscribed to the Google
> > Groups "Elgg development" group.
> > To post to this group, send email to elgg-development@googlegroups.com
> > To unsubscribe from this group, send email to
> > elgg-development+unsubscribe@googlegroups.com
> > God bless you.
> > --
> > You received this message because you are subscribed to the Google
> > Groups "Elgg development" group.
> > To post to this group, send email to elgg-development@googlegroups.com
> > To unsubscribe from this group, send email to
> > elgg-development+unsubscribe@googlegroups.com
> Once an account has been tied to an email account that the user does
> not own, the game is over. The person who uses that email account has
> control over the account since the password can be reset. Not logging
Oops. Listen to Cash. :) I need to stop posting before work...
This assumes local password based logins that allow for reset by email. This is the default case, of course, but if you're using OpenID or another login system then this argument is invalid. I like the idea of a hook that was brought up earlier, or making it an option.
> Once an account has been tied to an email account that the user does
> not own, the game is over. The person who uses that email account has
> control over the account since the password can be reset. Not logging
> the user in upon email validation adds an additional step in the
> takeover of the account but does not add any additional security.
> On Aug 13, 6:58 am, Steve Clay <st...@elgg.org> wrote:
>> There's a login event that fires. Register for the event and log the person out if it fires on the email validation URL. Not as clean but requires no patch.
>> On Aug 13, 2012, at 4:15 AM, Sergiy Kamolov <sergiy.kamo...@gmail.com> wrote:
>>> Can you just remove function for login after checks sent passed validation code?
>>> https://github.com/skamolov/Elgg/commit/10f7c267d76c296618507744b01e1...
>>> 2012/8/13 Tom <tom.voornev...@lorinthe.com>
>>> This is a security issue for sure.
>>> "Private" networks do not suggest an external authorisation system is usuable... maybe the term "Closed"network would have been better,
>>> The solution is simple. Let's not auto-login users after verification, but simply redirect them to the login page and let them supply their username and password. Safe and very easy to implement.
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "Elgg development" group.
>>> To post to this group, send email to elgg-development@googlegroups.com
>>> To unsubscribe from this group, send email to
>>> elgg-development+unsubscribe@googlegroups.com
>>> Elgg:http://elgg.org/ >>> Remember, bug reports should be filed athttp://trac.elgg.org/elgg! >>> --
>>> Best Regards,
>>> Sergiy Kamolov.
>>> God bless you.
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "Elgg development" group.
>>> To post to this group, send email to elgg-development@googlegroups.com
>>> To unsubscribe from this group, send email to
>>> elgg-development+unsubscribe@googlegroups.com
>>> Elgg:http://elgg.org/ >>> Remember, bug reports should be filed athttp://trac.elgg.org/elgg!
If you are using OpenID, the email address is provided by the OpenID
provider (at least that is how our OpenID plugin is written). All the
other login systems that I know of work the same way (email address
provided) and they do not send out account validation emails since the
provider of the account information is trusted.
> This assumes local password based logins that allow for reset by email.
> This is the default case, of course, but if you're using OpenID or
> another login system then this argument is invalid. I like the idea of a
> hook that was brought up earlier, or making it an option.
> -- Justin
> On 08/13/2012 11:11 AM, Cash Costello wrote:
> > Once an account has been tied to an email account that the user does
> > not own, the game is over. The person who uses that email account has
> > control over the account since the password can be reset. Not logging
> > the user in upon email validation adds an additional step in the
> > takeover of the account but does not add any additional security.
> > On Aug 13, 6:58 am, Steve Clay <st...@elgg.org> wrote:
> >> There's a login event that fires. Register for the event and log the person out if it fires on the email validation URL. Not as clean but requires no patch.
> >> On Aug 13, 2012, at 4:15 AM, Sergiy Kamolov <sergiy.kamo...@gmail.com> wrote:
> >>> Can you just remove function for login after checks sent passed validation code?
> >>>https://github.com/skamolov/Elgg/commit/10f7c267d76c296618507744b01e1...
> >>> 2012/8/13 Tom <tom.voornev...@lorinthe.com>
> >>> This is a security issue for sure.
> >>> "Private" networks do not suggest an external authorisation system is usuable... maybe the term "Closed"network would have been better,
> >>> The solution is simple. Let's not auto-login users after verification, but simply redirect them to the login page and let them supply their username and password. Safe and very easy to implement.
> >>> --
> >>> You received this message because you are subscribed to the Google
> >>> Groups "Elgg development" group.
> >>> To post to this group, send email to elgg-development@googlegroups.com
> >>> To unsubscribe from this group, send email to
> >>> elgg-development+unsubscribe@googlegroups.com
> >>> Elgg:http://elgg.org/ > >>> Remember, bug reports should be filed athttp://trac.elgg.org/elgg! > >>> --
> >>> Best Regards,
> >>> Sergiy Kamolov.
> >>> God bless you.
> >>> --
> >>> You received this message because you are subscribed to the Google
> >>> Groups "Elgg development" group.
> >>> To post to this group, send email to elgg-development@googlegroups.com
> >>> To unsubscribe from this group, send email to
> >>> elgg-development+unsubscribe@googlegroups.com
> >>> Elgg:http://elgg.org/ > >>> Remember, bug reports should be filed athttp://trac.elgg.org/elgg!
