Email verification security hole?
-
We just received a security vulnerability report revolving around the possibility of an attacker signing up with an email address, the real owner of that email address then signs up later using OAuth, and the OAuth identity is linked to the existing account. I wonder if this isn't something we could configure differently (either to reject the OAuth signup, or to not link the identities unless the email has been verified?), but I am not sure where exactly we'd do it. We're using OpenID with Google OAuth, as the sole OAuth provider at the moment. Anyone have any relevant experience with this kind of issue?
-
If you are using email verification, you can check this user state within your own app. (So, don't allow the attacker to access anything until their email address has been verified.)
In version 1.27.0 you can configure a gated login flow when the user is not verified (this is a 'reactor' feature requiring a paid license). This will enforce email verification before we even redirect to your app. You can then also configure FusionAuth to delete users after N number of days if the user has not verified their email address. This can assist with build up of accounts that are not actually in use.
