Sign up page is vulnerable to exploitation by malicious users

t.fukao · October 10, 2024, 7:37am

The user sign-up procedure is detailed below:

A user fills out email and password in Sign up page.
A new user account is created in Auth0 database.
A verification email is sent to provided email address.
The user clicks the link in the Verification email.
The user’s is_email_verified is set to true.

If a malicious user uses someone else’s email address in the first step, an account will be created without any consents.

I understand that the Verification email is implemented as safeguard against such malicious activities.
However, regardless of whether the user clicks the link in the Verification email, an account will be created in Auth0.

Creating accounts unilaterally, regardless of user consent, is a high-risk design that could lead to serious security vulnerabilities.

Ideally, accounts should only be created once the user clicks the link in the Verification email.
Is it possible?

dawid.matuszczyk · October 11, 2024, 10:42am

Hi @t.fukao

Welcome to the Auth0 Community!

Unfortunately, due to the Auth0 architecture, it’s not possible to create an account after email verification, but you can deny unverified users access to your application. We have a great Knowledge Solution about that → Best Practice of Enforcing Email Verification

Thanks
Dawid

system · October 25, 2024, 10:42am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.