Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Security for Email verification/confirmation [closed]

When someone registers on a website with their Email addresses, usually they are asked to verify or confirm their email by clicking on a link in a email address that they are sent to. Same goes for subscribing or unsubscribing to a mailing list.

Usability wise, this is great. It's very quick and easy to do, I can't think of anything that beats it.

I am not sure if I am overthinking things, but I just wanted see if I missed anything or misjudge anything.

So as far as I know the purpose of email verification/confirmation is

  • To make sure that the email address is correct
  • To make sure Emails that are sent to this address can be read and received
  • To make sure the email address really belongs to the person who's trying to sign up

With the current popular implementation of just one link that they click and that verifies the email instantly, someone could just brute force the verification link and circumvent this whole step.

Just visit verify.php?code=YOURBESTGUESSHERE and try all kinds of different codes.

An attacker could now make the following exploitations:

  • hurt my business by unsubscribing a bunch of people from my mailing list
  • add a bunch of people to my mailing list without their consent, since they might not be interested in my content, they could think I'm spam and a bad business
  • someone could farm addresses by checking the responses on the verification page (for example if the response is "[email protected] is already verified" or so)
  • someone could create fake accounts without the need of having an actual working email address

I am not sure what the benefit of the latter would be, and it seems it would be much easier to just create a throw away address for this purpose, but I just wanted to put it up there to be complete.

My Questions:

  • Did I miss any other purposes or exploitations of email verification / confirmation?
  • Should I add layers of security to the email verification, such as a captcha or time delays to prevent brute forcing?
  • Should I ask for additional information other than the reset code? Like username or email address again? Or a security question type thing, or another piece of information they entered when registering?

What are best practices for this whole thing, and how much worry and effort does really need to be put towards it? Risks vs. Benefits / Security vs. Usability... ?

like image 338
olli Avatar asked Mar 01 '14 22:03

olli


People also ask

What is a verification email?

Verification emails are the core of every healthy ticketing database. If there’s any action that requires users or clients to provide their email address or a phone number, it should be followed by a verification email.

What is an example of email verification-themed spam?

Another example of email verification-themed spam: Another example of email verification-themed spam: This is to inform your that we are doing account verification and your account ******** is included in our I.T account verification list please kindly verify your account below

How do I verify or add new security info?

Copy or write down the verification code from the message. Return to the window that is asking you for the verification code. Enter the code and follow the instructions. When you see a message asking you to make sure you can receive a verification code, verify or add new security info.

Why do I need to confirm my email address?

Since we're going to rely on your email address being accurate to give you access to your account, we need you to confirm that you didn't use a fake account to sign up for Parsec. Confirming your email prepares you to unlock your login attempts in the future.


2 Answers

If the attacker's search space for YOURBESTGUESSHERE is large enough, brute force becomes infeasible. Use {a code derived from {email address plus timestamp} (which may have arbitrary other stuff, such as a random nonce, incorporated)} fed through a known-good implementation of a known-good one-way hash function.

Ensure the code is only good for a short time (a couple of days, perhaps) after it's used.

Don't leak information when the code is presented - the real user of the code knows what email address it applies to, and nobody else needs to.

like image 171
mlp Avatar answered Oct 16 '22 20:10

mlp


You can always increase security, if needed. Think of combining the link with a unique code. So when brute force allowed the to find a link, they still need to enter a random code from the email.

Suggestions like number of attempts would be one of the first I would implement, to avoid system issues (number of request) rather then security.

like image 42
Ralf Avatar answered Oct 16 '22 19:10

Ralf