Users can easily use any (not yet used) email address for their account (potential security issue)
|Category:||Accounts / authentication|
When a user registers a new account, Redmine verifies the user's email address via the standard authentication email scheme: User gets an email to the claimed email address with a authentication code resp. a URL containing this authentication code; the user can only proceed with registration using that email address when he can actually read emails sent to this email address.This serves two purposes:
- Users are prevented from accidentally mistyping the email address.
- Users are prevented from maliciously associating somebody else's email address with an account they control.
The problem: Redmine currently only performs this check when registering an account. Once one has registered an account (e.g. by using a temporary email address such as "10 Minute Mail"), one can freely change the email address associated to the account without any further checks; the only exception is that email address which are already in use cannot be used.This allows for abuse and mistakes in multiple ways:
- Users may want to change their email address, and accidentally introduce a typo without noticing.
- Attackers could use this to claim the identity of a victim, as described above.
- Attackers could use this to prevent a victim from signing up with their email address if they are quicker in registering an account. This could be used to prevent the actual owner of that email address to register an account; or to post fake comments in the name of actual owner (the "victim") of the email address. The latter could be done in an attempt to abuse the good reputation of the victim (e.g. the attacked could pretend to be Linus Torvalds...) or to worsen the reputation of the victim by, say, by posting inflamatory messages in victim's name.
To solve this, the validity of the email address should be verified upon any change (perhaps optional based upon a site wide setting, but I think this should be on by default).
Of course this creates some potential UI difficulties. For example, which email address should Redmine use in the time between the request to change the address, until the verification happens -- and what if the verification never happens? Perhaps there should be a "timeout" then on each change request? What if there is another change request while the first one is still pending?
A more natural way might to overcome this might be to allow for multiple emails per user (something that has been requested before (see issue #4244). In this model, one cannot "change" the email address, merely add email addresses (each time using proper verification; and using the same code as during registration), select one of the verified email addresses as "default" (notifications go to this address), and remove any address (except for the default address). Each of these individual operations is quite basic and easy to implement right, and avoids all the headaches of a safe system for changing a single email address.
This is also the model employed by GitHub, see https://github.com/settings/emails (you have to be logged on there to see the UI).
#4 Updated by Anonymous almost 10 years ago
Just to clarify, when I wrote "and using the same code as during registration" what I meant was "and using the same authentication code scheme as during registration" -- of course the actual code / hash key being used should not be the same!
Ah, and also sorry for all those embarrassing typos and cut&paste artifacts, but I hope that the overall idea is understandable.