Change email after registering and pending activation?


(Fernando Melone) #1

Hello,

It seems that this feature is a great opportunity for people to impersonate others using another domain name.

  1. I register with @coolcompany.com
  2. I get the “change email address” button when registering but pending activation.
  3. I wait a few hours with that window open (or maybe a few minutes) until I get approved, you never know, maybe they are super effective.
  4. I click change my email address, and I basically can put whatever there, but I am already approved!

The admin does not get a "@coolcompany.com has not activated, and @another.com is pending", no, instead, I have approved someone I thought it was from @coolcompany.com, but actually it was just using that domain to get approved, as I don’t get another pending approval item.

Is this by design? is it a bug? I could not find a topic like this in the forums.

My big question is, can I deactivate this feature? I honestly don’t want it.

Thanks!


(Jay Pfaffman) #2

There is a site setting that keeps users from being able to change their email address. Will that help?


(Fernando Melone) #3

Of course! I mean, my post has 2 goals:

  • Letting you guys that this seems like a good way to impersonate people
  • Find out how to disable this.

@pfaffman how do I disable it?


(Eli the Bearded) #4

Doesn’t the signup with @coolcompany need to confirm control of the email address? Or does that happen after the approval? Confirmation should happen for all email addresses.


(Jeff Atwood) #5

Yeah this seems like a bug in the feature – @eviltrout worked on it, can you confirm this does not work Robin because I don’t think it should.

Once the user has confirmed their email, that function should no longer work.

This is basically a security exploit so I think handling it should be prioritized.


(Robin Ward) #6

I just tried to reproduce this and got an error from the server: You are not permitted to view the requested resource.

The URL makes a request to /u/update-activation-email. I confirmed in the source code that if a user is already active that it raises an error:

Are you 100% sure you were able to change the email address following the above steps? Because I am not able to.


(Fernando Melone) #7

@eviltrout Yes! just tried it again.

Basically I tried it with a teammate.

  1. He signs up, writes the @coolcompany.com email.
  2. Stops on the screen when he can change his email (pending approval)
  3. I go to the admin panel, approve him (as I see he is a good fella from @coolcompany.com)
  4. He then proceeds to change his email on that screen clicking the “change email address” grey button.
  5. He gets a “new” confirmation email to his NEW INSERTED email address, and validates his NEW address.
  6. He is now approved, and into the forums.
  7. When I go to see the list of users, he now has another email! I mean, I am not going to check everybody’s emails once a week just to check if they did not do that. I have already approved someone based on the initial information they provided, presuming they CANNOT change it afterwards (I have disabled the option to change their emails in the future).

But I am REALLY interested in disabling this feature we are talking about here.

Thanks!


(Régis Hanol) #8

Just making sure, what version of Discourse are you running?


(Fernando Melone) #9

Trial of Std version, cloud, hosted by Discourse :slight_smile:


(Jeff Atwood) #10

This seems to be the main difference, you have mandatory account approvals enabled, not default out of box signup?

So disable that on your site, since it seems to be the source of the issue.


(David Taylor) #11

I think I’ve seen this before on my instance - isn’t really an issue for us though as we don’t care what email address people use. Just repro-d it successfully on tests-passed.

Just in case there’s any confusion about active vs. approved. As I understand it:

  • “active” is related to verifying your own email address
  • “approved” is when a staff member approves a user (with must approve users site setting)

I think @fermelone is talking about this scenario, which I can reproduce:

  • User signs up, but does not “activate”
  • Staff member sees new user, and clicks “approve” after looking at their (un-activated) email address
  • User uses “update activation email” to change email address
  • User can now activate an account

So maybe users shouldn’t be added to the approval queue until they are ‘activated’?


(Fernando Melone) #12

@codinghorror I get your point, but I want to control who accesses and registers to my forum.

@David_Taylor I like David’s idea, once they confirmed the email that they cannot change, then show me I have a pending approval. I like this one.


(Sam Saffron) #13

Absolutely, this also cuts down noise in the approve users queue, should be our default behavior, not sure you should even be allowed to disable


(Jeff Atwood) #14

I believe this was discussed early on, the chicken and egg problem between the admin approving first, or the user validating their email first. They definitely should not show up as approve-able until they validate their email though.


(Jeff Atwood) #15

Are you able to repro this now @eviltrout?


(Robin Ward) #16

The issue here is someone doesn’t ever want users to change their emails, and they were allowed to do so following approval if they hadn’t activated their original email. It doesn’t seem like a security hole to me since the user still had the authenticate the email, but I understand in some rare situations forum owners don’t want users to change their emails.

The solution is what’s suggested earlier: don’t allow staff to approve a user until they’ve confirmed their email address.


(Jeff Atwood) #17

This topic was automatically closed after 5 days. New replies are no longer allowed.