Email verification link of a deleted account enables automatic login

[bajiat]

From @saralavanip on January 25, 2017 16:53

Steps

1. Visit https://staging.apinf.io (version 0.39.0)
2. Create account 1 (eg. with email address: test1@test.com)
3. Open email and click on account 1 verification link
4. Visit https://staging.apinf.io
5. Login as admin and delete the above added account
6. Logout
7. Create another account 2 (eg. with email address: test2@test.com)
8. Open email and click on account 2 verification link
9. Repeat step 3

Findings

• Click on email verification link of a deleted account, enables automatic login to the latest active account.
• Displays error message 'Verify email link Expired'

Screenshot

Copied from original issue: Digipalvelutehdas/APIKA#297

[55]

@saralavanip I've tried twice and couldn't reproduce it.
Please, try one more time and let me know if it's still reproducible.
@apinf/developers guys, if somebody can also test it out, will really appreciate it.

[brylie]

I think steps 7 and 8 are not central to this bug report, and can be ignored.

[brylie]

When clicking on an email verification link that has already been used, I get a notification "Verify email link expired":

[bajiat]

If I log out after step 8 and then click the verification link for user 1 (step 9), I'm not logged in, I just get an error message about expired verification email.

If I don't log out after step 8 and click the verification link for user 1, I go to the APInf UI as current logged in user (user 2 the one created in step 7) plus get a message about expired verification message.

@saralavanip Please check what you were actually trying to test.

[marla-singer]

@NNN I think the main idea is in 5 step
Login as admin and delete the above added account

[bajiat]

@marla-singer I deleted the first user and followed all the steps exactly.

[bajiat]

If the second user is logged out, it does not automatically log in. If the second user is logged in, then it goes to the current active user.

[marla-singer]

@bajiat Ok, I can't reproduce it as well

[saralavanip]

@bajiat @NNN @brylie @marla-singer , I was testing this case aiming security aspect in different scenarios as below:

Scenario 1:
-> Expired link in a deleted account (user 1 )

    ==> 1(a) At this point,browser has no tabs with apinf user session

-> Click on expired link

   ==> 1(b) Actual Result: redirects to APinf homepage (https://staging.apinf.io) 
            with error message "verify email link expired" as expected   

Scenario 2:

-> Expired link in a deleted account (user 1 )

   ==>2(a) Browser has a tab with Apinf active session (user 2 logged in)  

-> Click on expired link

     ==> 2(b) Actual Result:Opens another new tab with Apinf active session ( user 2 logged in session) 
             with error message 'verify email link expired' 
              Expected Result: It must redirect to APInf home page (https://staging.apinf.io) 
              with error message as in 1(b)  

Scenario 3:
-> Expired link in a deleted account (user 1)

  ==> 3(a)close tabs (active sessions with user 2 still logged in)     

-> Click on expired link

 ==> 3(b) Actual Result:Opens a new tab with Apinf active session ( user 2 logged in session)
          with error message 'verify email link expired'  
          Expected Result: It must redirect to APInf home page (https://staging.apinf.io)
          with error message as in 1(b)  

[bajiat]

@saralavanip IMHO, This does not mean there is a grave security concern. The precondition is that the second user is active / logged in on that same device.