Navigation

    FusionAuth
    • Login
    • Search
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs

    Email verification security hole?

    Q&A
    email verification security
    0
    2
    121
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • dan
      dan last edited by

      We just received a security vulnerability report revolving around the possibility of an attacker signing up with an email address, the real owner of that email address then signs up later using OAuth, and the OAuth identity is linked to the existing account. I wonder if this isn't something we could configure differently (either to reject the OAuth signup, or to not link the identities unless the email has been verified?), but I am not sure where exactly we'd do it. We're using OpenID with Google OAuth, as the sole OAuth provider at the moment. Anyone have any relevant experience with this kind of issue?

      --
      FusionAuth - Auth for devs, built by devs.
      https://fusionauth.io

      1 Reply Last reply Reply Quote 0
      • dan
        dan last edited by

        If you are using email verification, you can check this user state within your own app. (So, don't allow the attacker to access anything until their email address has been verified.)

        In version 1.27.0 you can configure a gated login flow when the user is not verified (this is a 'reactor' feature requiring a paid license). This will enforce email verification before we even redirect to your app. You can then also configure FusionAuth to delete users after N number of days if the user has not verified their email address. This can assist with build up of accounts that are not actually in use.

        --
        FusionAuth - Auth for devs, built by devs.
        https://fusionauth.io

        1 Reply Last reply Reply Quote 0
        • First post
          Last post