You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
An attacker can determine whether a target user has an account with the app. Consider the following scenario:
A human rights activist has a Giggle account associated with his real name and email address. He uses his Giggle account to login to a fictional "Overthrow Kim Jung-on Forums" app. The North Korean government suspects him, compromises LinkedOut such that they can create a LinkedOut account with his email address (or compromises his LinkedOut account), and then uses the LinkedOut account to login to the app. Since the email addresses are the same, accounts-meld melds (or asks to meld) the accounts and the government then knows that the user has an account on the app. If you find this scenario too far-fetched, consider an app like AshleyMadison.com and let the attacker be a black-hat out to blackmail users.
Aside 1: accounts-password has this privacy issue even when there is no melding/merging. You can determine whether a particular email address is already registered simply by trying to create an account with that email address and seeing whether an error occurs. Sites where having an account is itself risky should not be using accounts-password for that reason. But those sites should not have this privacy issue introduced because they use splendido:accounts-meld.
Aside 2: You might think you can address the privacy issue by only offering the meld/merge to the existing user (i.e. the account with the Giggle service). However, there is still a scenario where the attacker signs up using the bogus LinkedOut account before the victim signs up. When the victim signs up, the attacker then knows about it.
My suggested fix is the same as for issue #30. Specifically don't meld (or ask to meld) two accounts unless the user has logged into both at the same time. The primary downside to such a change would be that the package would no longer prevent a user from creating multiple accounts with the same email address. Apps that desire such behavior can achieve it without accounts-meld by just registering a validateNewUser handler that checks for existing users with the same verified email.
The text was updated successfully, but these errors were encountered:
An attacker can determine whether a target user has an account with the app. Consider the following scenario:
A human rights activist has a Giggle account associated with his real name and email address. He uses his Giggle account to login to a fictional "Overthrow Kim Jung-on Forums" app. The North Korean government suspects him, compromises LinkedOut such that they can create a LinkedOut account with his email address (or compromises his LinkedOut account), and then uses the LinkedOut account to login to the app. Since the email addresses are the same, accounts-meld melds (or asks to meld) the accounts and the government then knows that the user has an account on the app. If you find this scenario too far-fetched, consider an app like AshleyMadison.com and let the attacker be a black-hat out to blackmail users.
Aside 1:
accounts-passwordhas this privacy issue even when there is no melding/merging. You can determine whether a particular email address is already registered simply by trying to create an account with that email address and seeing whether an error occurs. Sites where having an account is itself risky should not be usingaccounts-passwordfor that reason. But those sites should not have this privacy issue introduced because they usesplendido:accounts-meld.Aside 2: You might think you can address the privacy issue by only offering the meld/merge to the existing user (i.e. the account with the Giggle service). However, there is still a scenario where the attacker signs up using the bogus LinkedOut account before the victim signs up. When the victim signs up, the attacker then knows about it.
My suggested fix is the same as for issue #30. Specifically don't meld (or ask to meld) two accounts unless the user has logged into both at the same time. The primary downside to such a change would be that the package would no longer prevent a user from creating multiple accounts with the same email address. Apps that desire such behavior can achieve it without accounts-meld by just registering a validateNewUser handler that checks for existing users with the same verified email.
The text was updated successfully, but these errors were encountered: