How to prevent the same normalized email from signing up multiple times

leif.ross · March 5, 2022, 8:04pm

Right now with email+password, it is possible to sign up multiple times using different variations of the same functional email address.

For example, you can create one user with test@test.com, and another one with te.st@test.com, and both emails will reference the same actual functional email address, test@test.com

This opens up for a whole variety of exploits and phishing attacks.
So my question is, how can we prevent multiple signups with the same normalized email address?

john.gateley · March 7, 2022, 1:58pm

Hi @leif.ross

I would be interested in hearing your exploits/attacks you have.

You can use a pre-registration action or hook to normalize and look up the email, disallowing it if it exists.

John

leif.ross · March 9, 2022, 4:26pm

It becomes a problem when connected to other services that normalize the mail, for example services that handle invitations to share resources by specifying the email address of the share target. Then suddenly both, or wrong account gets access to the resource.