What's this called? - Attacker starts to create a user account on some site - They put someone else's email in - The victim clicks the link because they are dumb, or because the hacker knows that they're a customer - The attacker is now authenticated as the victim
Seems related to session fixation. I don't see how lest step follows though. Can you clarify what the attacker gains?
-
-
A few, in increasing level of severity: a. If we do simply say that clicking the link sets the "email confirmed" flag for the attacker, it gives them a leg up to impersonating you or a member of your org (why yes I do have an @dumbbank.com address)
-
b. If we have a multi-page application, and tie the clicker into the same app-in-progress object, the attacker can refresh the page and potentially see whatever else they type into the form (could be sensitive, SSN, etc.) That requires the attacker to ...
-
... target people already filling out the form, or the victim to be pretty dumb, but it's basically a phishing attack except the email actually comes from your bank and goes to their site.
-
c. If we're using this as a Slack-like login link, they just plain login as you.
-
The obvious mitigation tactic is to make the link only act in one session, and to ask for a password (especially if the session doesn't match). ... Thanks for looking, btw!
-
This is a very bad security ux. In a secure environment, you don't have access to email in the browser you sign up for random sites in. Link clicked from email is new session, maybe on different device.
-
I agree - but I've seen two separate teams make the mistake, so I'm wondering if there's a name for it...
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.