- Status Closed
- Assigned To No-one
- Private
Attached to Project: Security vulnerabilities
Opened by grycolor - 15.01.2024
Last edited by cbay - 16.01.2024
Opened by grycolor - 15.01.2024
Last edited by cbay - 16.01.2024
FS#13 - Lack of Verification Email
Description:
The website lacks proper email verification.During the user registration process,it only sending a greeting email upon registration. The absence of email verification could lead to create unverified accounts and host content with any email address, potentially poses a serious security risk.
Impact :
The absence of email verification poses a significant security risk, allowing the potential use of any email address for registration on a hosting site without proper authentication. This could lead to the creation of accounts under false identities, enabling malicious actors to host illegal content anonymously.
The free hosting service, which doesn't require valid details, may be exploited for unauthorized activities, emphasizing the need for robust email verification procedures to ensure account legitimacy and prevent abuse like.
Spam distribution
Phishing campaigns
Distribution of illegal or harmful content
Reputational damage to the platform
So, I am Reporting this issue to the platform's security team for addressing the vulnerability and enhancing overall security.
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Hello,
I assume what you mean by "verifying emails" is sending a link to the specified email address and making sure the client has clicked on it, to make sure they own that address.
How would that prevent anyone from doing "bad" activities with their accounts, such as the ones you mentioned (spam, phishing, etc.)? Creating a new mailbox is trivial and can be done in seconds with services such as Temp Mail anyway.
Verifying emails has nothing to do with anonymity or legitimacy.
Kind regards,
Cyril
Thank you for sharing your perspective on email verification. While it's true that email verification might not address all aspects of online security, it remains an important step in confirming that the user has access to the provided email address.Without email verification, it becomes easier for someone to use anybody's email address, especially if the email is publicly available.
Account Validation: Email verification ensures that users provide valid and accessible email addresses during registration, reducing the risk of fake or malicious accounts.
Is there a problem using an email address that's not yours, from a security perspective? What would you gain doing that?
Identity collision: Any user can sign up with any email address, potentially invalidating or blocking the actual owner's registration due to duplicate email collision.
Someone used my email to make an account on a website, and that account got into trouble with issues like suspension or billing. Now, when I want to use the website, I can't make a new account because of problems caused by someone else using my email without permission. The core problem lies in the unauthorized use of my email
That's not a security issue: not being able to use your email when subscribing is a mere annoyance in a highly far-fetched scenario that never occurred even once in 16 years.
And even if it did happen, simply contacting us would solve the issue immediately.
If someone used my email , How i use my email to subscribe.
You'd contact us, or use another email address, or even don't subscribe. There's no security issue in any case.