Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
Example code is susceptible to username hijacking #87
While I know the code you are providing in the views/controller is sample, the code is susceptible to allowing for a user to create an Umbraco account for an email/username which is not apart of the claims.
I realize it's up to the developer to look out for these sorts of situations but Identity is also a "not easy to learn" topic. I recently worked on a project where a malicious user could associate a different email by manipulating the hidden fields.
My suggestion is to discourage "picking your own username" and to discourage hidden fields for the username". Most developers are just happy it works, but I think this leaves a site open to misuse.
To sum up, thanks for writing this, just wanted to pass on my 2 cents.
I changed a project that I was working on to only use information provided via claims and disallowed using any sort of hidden fields on the form.
Hi @kgiszewski , It's been a while since I've had my head in this project and most of this code is taken directly from the code installed via the MVC templates with Visual Studio. I can't remember if I've changed it to allow such a thing to occur.
Would you by chance have time to submit a PR for review as this would be very helpful to more quickly get a better idea of exactly what you are referring to?
I've investigated this now and figured out what you are referring to. IIRC what happened was that a lot of this code is borrowed from the ASP.Net original identity 2.x snippets but since our members generally use an email address as their username, that snippet was updated whereas i think the original identity snippet actually uses a true username instead of an email.
In any case, i've simplified this whole thing, there will be no screen to confirm your username or email, it will just create your account with the email supplied from the claims and if any of that fails will redirect to an error page with the details. I'll get this released asap.