Third-party accounts log into an account without verification


(stuartpb) #1

From what I can tell, if I’ve already created an account with my email address (say, via GitHub), then I sign out, then sign in in via another service (such as Facebook) where I have the same e-mail, I’m logged in to my Discourse account with no further steps.

Here’s why this is a bug:

Say Alice has an email address, and a Facebook account, but not a Twitter account. She signs up for an account in Discourse using her Facebook account.

Later, Eve creates a Twitter account with Alice’s email address. Twitter lets you use an account without verifying the email address, so she then signs in to Discourse with this Twitter account. Discourse sees this Twitter account has the same email as Alice, and so logs Eve in as Alice.

Associating a new endpoint with an existing account should require verification from an already-authorized endpoint.


(Zane Beckman) #2

I’m almost 100% certain twitter does not authenticate an account via OAuth if the email address is unverified.

That being said, you do bring up an interesting point.


(lid) #3

It appears that twitter does not allow email retrieval to developer at all via oauth
https://dev.twitter.com/discussions/15589

f this link is still relevant I am not sure how discourse can associate the twitter account with an existing account email.

@stuartpb you a pointing out a possible weakness. Discourse should not rely on flowed oauth provider. (not saying that twitter is). If it is known that a common oauth provider does not verify email address Discourse can not rely on the email given by that provider.

But as it appear it is an hypothetical scenario.

also this is not going to solve this concern if the first verified user happened to be the user verified by a flowed oauth provider.

Associating a new endpoint with an existing account should require verification from an already-authorized endpoint.


(Jeff Atwood) #4

This is not a bug, we manually validate emails for providers who do not give us a validated email first.

And for those that do validate (Google, Facebook, Yahoo) it is valid to map them to email which we view as one of the primary keys for the account.


(Michael Brown) #5

I do agree with you on this point - if there’s demand for it I could see the benefit of a site setting to enable that.


(Kevin P. Fleming) #6

How would you propose achieving that? If you’ve linked your account to Google+, and then attempt to link the same account to Facebook, Discourse can’t ask Google+ for verification.


(Michael Brown) #7

Two options off the top of my head:

  • Costanza wallet style, where while logged in you can associate another endpoint
  • rather than asking the endpoint for verification, could be an email sent to the user with a ‘click to confirm association’ link in it.

(Kevin P. Fleming) #8

Yeah, I was thinking that the second option was the only practical one.


(stuartpb) #9

Or, when somebody logs in from a new endpoint, you prompt them to log in with one of the methods they’ve already authorized (so Password or Facebook is valid in the given example).