Brute-Force Unblock Link in Emails Consumed by Security Scanners

Last Updated: Jul 3, 2024

Overview

There is an issue with the emails that are being sent when an account is blocked by Brute-Force Protection. Auth0 sends an email to the user whose account has been blocked, but when the user clicks on the unblock link in the email, they will get this error:

The URL can be used only once.

However, when checking the user’s profile, the account appears as unblocked.

Applies To

  • Brute Force Protection
  • Unblock account
  • Unblock Email

Steps to reproduce

The steps to reproduce the issue:

  1. Enable brute force protection.
  2. Trigger brute force protection as a test user.
  3. Use the unblock link sent to their email.
  4. Due to Safelinks or something similar, the email client must have consumed the link, and the The URL can be used only once error page is generated.
    The user is, however, already unblocked.

Cause

3rd-party email security scanning software is activating the link.

Solution

Currently, there is no workaround for this particular issue. Make sure there is not a service that opens the unblock user link. A GET request consumes the links as of February 2024. Please leave feedback to our product team if it is desired to have links consumed with the POST requests.

2 Likes