SitePoint Sponsor

User Tag List

Results 1 to 22 of 22
  1. #1
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,764
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)

    Questioning the Security of Activation E-mail

    When someone registers at my website, my registration script sends an "Activation Email" to the e-mail address used during registration.

    The registrant get an e-mail like this...
    Dear Jane Doe,

    Thanks for creating a new account at www.Debbie.com

    To activate your account, please click on the link below:

    http://local.debbie/account/activate.php?x=0ff70b3a23cf00d0cd7936ee57feb60d

    Sincerely,


    Webmaster

    Even though this is a very *common* approach, I am starting to question how *secure* it really is?!


    For example, what is stopping a hacker from trying to "brute force" the URL above and sending thousands of bogus requests, with the goal of activating Member Accounts where the actual "registrant" has not yet seen the e-mail?!

    There is also the issue that a hacker could just keep sending requests trying to guess a particular registrant's Activation Code.


    Using this approach is supposed to be more secure, because the thought-process is that only the person who registered has access to his/her e-mail account, and so the Activation Email is safe.

    But look at how low the bar is set with this e-mail!!!

    I can see NOTHING that stops someone with too much time on his/her hands from just going to...
    Code:
    http://local.debbie/account/activate.php?x=
    ...and hacking away?!


    I'm *definitely* not trying to make any additional work for myself, however, this whole "Member Account Activation Email" seems rather *flaky* the more I think about it...

    Thoughts?

    Sincerely,


    Debbie

  2. #2
    Barefoot on the Moon! silver trophy Force Flow's Avatar
    Join Date
    Jul 2003
    Location
    Northeastern USA
    Posts
    4,606
    Mentioned
    56 Post(s)
    Tagged
    1 Thread(s)
    A hacker won't be able to easily guess one of those URLs, since each one is unique, randomly generated, and is composed of a long string of characters.

    Additionally, sometimes activation links are set to expire after a certain amount of time if they aren't clicked.
    Visit The Blog | Follow On Twitter
    301tool 1.1.5 - URL redirector & shortener (PHP/MySQL)
    Can be hosted on and utilize your own domain

  3. #3
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,764
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Force Flow View Post
    A hacker won't be able to easily guess one of those URLs, since each one is unique, randomly generated, and is composed of a long string of characters.

    Additionally, sometimes activation links are set to expire after a certain amount of time if they aren't clicked.
    But what is to stop some bored kid from sending a constant barrage of requests to the URL?

    Once you know I am doing activation at this URL...

    Code:
    http://local.debbie/account/activate.php?x=
    ...the sky is the limit with the number of bogus requests you could send?!

    Sincerely,


    Debbie

  4. #4
    Just Blow It bronze trophy
    DaveMaxwell's Avatar
    Join Date
    Nov 1999
    Location
    Mechanicsburg, PA
    Posts
    7,264
    Mentioned
    115 Post(s)
    Tagged
    1 Thread(s)
    And they'd have to be able to brute force that guid....not real likely.

    If you're really feeling paranoid (hint ), you can add a limit per IP address
    Dave Maxwell - Manage Your Site Team Leader
    My favorite YouTube Video! | Star Wars, Dr Suess Style
    Learn how to be ready for The Forums' Move to Discourse

  5. #5
    Mouse catcher silver trophy Stevie D's Avatar
    Join Date
    Mar 2006
    Location
    Yorkshire, UK
    Posts
    5,888
    Mentioned
    122 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by DoubleDee View Post
    But what is to stop some bored kid from sending a constant barrage of requests to the URL?

    Once you know I am doing activation at this URL...

    Code:
    http://local.debbie/account/activate.php?x=
    ...the sky is the limit with the number of bogus requests you could send?!
    With nearly 10^50 possible 32-character strings (assuming only [0-9][a-z]). Yes, it is theoretically possible that if someone harvests the power of every internet-connected device under the sun to (a) submit a registration form from every known email address, and (b) constantly hit your server trying registration codes, there is a slim chance that they will hit a match and get lucky.

    But even if they do, what have they gained? They've signed someone else up to your website. Is that the end of the world?

    The main reason for double opt-in, for most subscriptions, is simply to avoid the annoyance of someone getting signed up to a service they didn't want because some other muppet mistyped their own email address. There's rarely any major security issue at stake.

  6. #6
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,764
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Stevie D View Post
    With nearly 10^50 possible 32-character strings (assuming only [0-9][a-z]). Yes, it is theoretically possible that if someone harvests the power of every internet-connected device under the sun to (a) submit a registration form from every known email address, and (b) constantly hit your server trying registration codes, there is a slim chance that they will hit a match and get lucky.

    But even if they do, what have they gained? They've signed someone else up to your website. Is that the end of the world?

    The main reason for double opt-in, for most subscriptions, is simply to avoid the annoyance of someone getting signed up to a service they didn't want because some other muppet mistyped their own email address. There's rarely any major security issue at stake.
    Okay, so I would basically agree with what you - and others - are saying on this point.

    But again, what about my *other* point that someone could end up slamming the "Activation URL" in an attempt to do a DOS attack?

    Wouldn't it be beneficial to have something similar to my Log-In page's "3 Strikes and You're Out"?

    Hey, I don't know?! I'm just trying to *scrutinize* all of my code, and trying to think of any places where there may be some holes...

    Sincerely,


    Debbie

  7. #7
    Mouse catcher silver trophy Stevie D's Avatar
    Join Date
    Mar 2006
    Location
    Yorkshire, UK
    Posts
    5,888
    Mentioned
    122 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by DoubleDee View Post
    But again, what about my *other* point that someone could end up slamming the "Activation URL" in an attempt to do a DOS attack?
    If all they want to do is to bring your server to its knees, all they have to do is to hit on website.com/?a=00000000000001, and then increment the number each time. It doesn't matter whether you've got any security systems at all, or if it's just a plain static site with a single page and nothing else.

  8. #8
    Avid Logophile silver trophy
    ParkinT's Avatar
    Join Date
    May 2006
    Location
    Central Florida
    Posts
    2,332
    Mentioned
    192 Post(s)
    Tagged
    4 Thread(s)
    Does the Activation process reveal the user's email address or password?
    If it simply activates the account, then it is akin to you remotely turning on the lights in my house but without any idea where I live.
    Don't be yourself. Be someone a little nicer. -Mignon McLaughlin, journalist and author (1913-1983)


    Git is for EVERYONE
    Literally, the best app for readers.
    Make Your P@ssw0rd Secure
    Leveraging SubDomains

  9. #9
    Just Blow It bronze trophy
    DaveMaxwell's Avatar
    Join Date
    Nov 1999
    Location
    Mechanicsburg, PA
    Posts
    7,264
    Mentioned
    115 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by DoubleDee View Post
    But again, what about my *other* point that someone could end up slamming the "Activation URL" in an attempt to do a DOS attack?

    Wouldn't it be beneficial to have something similar to my Log-In page's "3 Strikes and You're Out"?
    Psst. Look at post #4.

    Quote Originally Posted by DoubleDee View Post
    Hey, I don't know?! I'm just trying to *scrutinize* all of my code, and trying to think of any places where there may be some holes...
    Honestly, you have to weigh the benefits to the time and effort required. If you DO get attacked with a DDOS attack, take it as a sign that you made it. People only attack the sites that are worth the effort
    Dave Maxwell - Manage Your Site Team Leader
    My favorite YouTube Video! | Star Wars, Dr Suess Style
    Learn how to be ready for The Forums' Move to Discourse

  10. #10
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,764
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by ParkinT View Post
    Does the Activation process reveal the user's email address or password?
    If it simply activates the account, then it is akin to you remotely turning on the lights in my house but without any idea where I live.
    As I said in my original post...

    The registrant get an e-mail like this...

    Code:
    Dear Jane Doe,
    
    Thanks for creating a new account at www.Debbie.com
    
    To activate your account, please click on the link below:
    
    http://local.debbie/account/activate.php?x=0ff70b3a23cf00d0cd7936ee57feb60d
    
    Sincerely,
    
    
    Webmaster
    Sincerely,


    Debbie

  11. #11
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,764
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by DaveMaxwell View Post
    Psst. Look at post #4.

    Quote Originally Posted by DaveMaxwell View Post
    If you're really feeling paranoid (hint ), you can add a limit per IP address
    My bad.

    Isn't true that doing any kind of filtering on IP can backfire, because companies like AOL - is that company even around?! - use the same IP for all of their users?!


    Quote Originally Posted by DaveMaxwell View Post
    Honestly, you have to weigh the benefits to the time and effort required. If you DO get attacked with a DDOS attack, take it as a sign that you made it. People only attack the sites that are worth the effort
    Yes, that is true!


    So, according to you guys, it sounds like my Activation Page is good enough for now...

    Sincerely,


    Debbie

  12. #12
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,653
    Mentioned
    19 Post(s)
    Tagged
    3 Thread(s)
    DD,

    If you send spam (unwanted e-mail), you are guilty of a (probably minor) cybercrime. While most are simply ignored (because hackers are good at hiding their origin), isn't it worth the extra effort to confirm FROM THE ADDRESS USED that the person does want your e-mail?

    Warning: To avoid SPAMMING with your confirmation messages, be sure to check the address against the database before sending more than one (within your timeout period, of course).

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator

  13. #13
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,764
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by dklynn View Post
    DD,

    If you send spam (unwanted e-mail), you are guilty of a (probably minor) cybercrime. While most are simply ignored (because hackers are good at hiding their origin), isn't it worth the extra effort to confirm FROM THE ADDRESS USED that the person does want your e-mail?

    Warning: To avoid SPAMMING with your confirmation messages, be sure to check the address against the database before sending more than one (within your timeout period, of course).

    Regards,

    DK
    You really have a gift for coming out of left field with your comments sometimes...

    I have *no clue* how what you said above pertains to this thread...


    Debbie

  14. #14
    Community Advisor ULTiMATE's Avatar
    Join Date
    Aug 2003
    Location
    Bristol, United Kingdom
    Posts
    2,160
    Mentioned
    46 Post(s)
    Tagged
    0 Thread(s)
    As already said, the likelihood of being able to successfully brute force an activation email is very slim. Anyone that has ever written a brute-force algorithm to reverse a hash will know that it would take many, many years to actually brute-force a GUID. That's a mathematical certainty.

  15. #15
    SitePoint Author silver trophybronze trophy
    wwb_99's Avatar
    Join Date
    May 2003
    Location
    Washington, DC
    Posts
    10,633
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    This should give you an idea what would be involved with brute forcing a GUID: http://blogs.msdn.com/b/oldnewthing/.../10461148.aspx

  16. #16
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,764
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by wwb_99 View Post
    This should give you an idea what would be involved with brute forcing a GUID: http://blogs.msdn.com/b/oldnewthing/.../10461148.aspx
    I have no way to verify if that link is accurate from a technical standpoint, but I get the point you are trying to get across to me...

    Thanks for the link!

    Sincerely,


    Debbie

  17. #17
    Community Advisor ULTiMATE's Avatar
    Join Date
    Aug 2003
    Location
    Bristol, United Kingdom
    Posts
    2,160
    Mentioned
    46 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by DoubleDee View Post
    I have no way to verify if that link is accurate from a technical standpoint, but I get the point you are trying to get across to me...
    For the record, the blog is run by Raymond Chen, who has been a part of the Windows team at Microsoft since 1992, and is one of the most respected guys in tech. If there's any one you should trust, it's him.

  18. #18
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,764
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by ULTiMATE View Post
    For the record, the blog is run by Raymond Chen, who has been a part of the Windows team at Microsoft since 1992, and is one of the most respected guys in tech. If there's any one you should trust, it's him.
    Fair enough.

    BTW, his post would have been stronger had he included this concept...

    It doesn't matter how many unique GUID's there are. What we care about in this conversation is the percentage of GUID's that are used.

    If there are 10 zillion GUID combinations, but 5 zillion Members, then you have a 50/50 chance of randomly guessing a GUID which you could use to hack into a Session and account.

    It is *implied* from his post that there are an insane amount of GUID's out there, so my example above wouldn't apply, but hopefully you see my point and the important distinction...

    Sincerely,


    Debbie

  19. #19
    SitePoint Enthusiast bronze trophy \\.\'s Avatar
    Join Date
    Oct 2013
    Location
    UK
    Posts
    72
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    A properly implemented approach should have the link valid for a number of hours like if they do not click on the link after 24 hours the link expires.

    In short, if you are concerned with security, chose a longer SALT value if you coded the site yourself if not raise the matter with the forum dev team that wrote the routine and get it from the horses mouth.

  20. #20
    Community Advisor ULTiMATE's Avatar
    Join Date
    Aug 2003
    Location
    Bristol, United Kingdom
    Posts
    2,160
    Mentioned
    46 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by DoubleDee View Post
    Fair enough.

    BTW, his post would have been stronger had he included this concept...

    It doesn't matter how many unique GUID's there are. What we care about in this conversation is the percentage of GUID's that are used.

    If there are 10 zillion GUID combinations, but 5 zillion Members, then you have a 50/50 chance of randomly guessing a GUID which you could use to hack into a Session and account.

    It is *implied* from his post that there are an insane amount of GUID's out there, so my example above wouldn't apply, but hopefully you see my point and the important distinction...

    Sincerely,


    Debbie

    Your post assumes that no users have activated their accounts. As you cannot reactivate your account once it is already active this method of attack wouldn't work.

    What you've suggested is valid. Not for the GUID approach, as you'll still need a few lifetimes to spare just to set up your rainbow table, but is very valid if you've rolled your own system, or if you email out temporary passwords (i.e. on a forgotten password link). I've known numerous sites that have done the latter, and have ultimately been hacked.

  21. #21
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,764
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by ULTiMATE View Post
    Your post assumes that no users have activated their accounts. As you cannot reactivate your account once it is already active this method of attack wouldn't work.

    What you've suggested is valid. Not for the GUID approach, as you'll still need a few lifetimes to spare just to set up your rainbow table, but is very valid if you've rolled your own system, or if you email out temporary passwords (i.e. on a forgotten password link). I've known numerous sites that have done the latter, and have ultimately been hacked.
    You know, I have been getting this thread and another one of mine mixed up?! (Happens when some of my threads seem to linger...)

    In the past, I had asked, "How hard would it be for someone to guess your SessionID?" (My concern being that the SessionID is stored in a cookie locally on a user's machine. So what is there to stop someone from simply editing their Session Cookie and in turn hi-jacking someone else's session?! For example, DoubleDee's SessionID in the Session Cookie is "1234" and I go into my cookie and change it to "6789" and then end up pretending to be "ULTiMATE"...)

    I haven't eaten in a day and I was dizzy enough before I realized I forget what this thread was originally about?! Oops!

    Let me see if I can rebound...


    You are correct that once a user activates his/her account and becomes a full-fledged Member, that this would no longer apply. (My code handles double-authentication attempts.)

    Originally, I was concerned that someone could attempt a DOS attack and just start hammering my website with random links hoping to activate new Members.

    Maybe re-read my Original Post to refresh your memory what I was thinking...

    Here is the gist of what I said...

    Quote Originally Posted by doubledee
    For example, what is stopping a hacker from trying to "brute force" the URL above and sending thousands of bogus requests, with the goal of activating Member Accounts where the actual "registrant" has not yet seen the e-mail?!

    There is also the issue that a hacker could just keep sending requests trying to guess a particular registrant's Activation Code.
    Sincerely,


    Debbie

  22. #22
    SitePoint Author silver trophybronze trophy
    wwb_99's Avatar
    Join Date
    May 2003
    Location
    Washington, DC
    Posts
    10,633
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    Re-read Raymond's blog post -- the keyspace for GUIDs is so large that it would take years to hit the first one unless you had billions of registrations. Even if they did then they would just be activating someone else's account which might be disconcerting for the user but shouldn't matter.

    Furthermore, if I was going to DDOS your site I wouldn't bother with anything that fancy -- you can take down most web servers with a handful of slowloris bots.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •