Skip to content


Account hijacking when SOCIAL_AUTH_ASSOCIATE_BY_MAIL=True #356

pennersr opened this Issue · 3 comments

3 participants


Consider the following scenario:

  • There is a user with e-mail address whose account I would like to hijack
  • I'll go over to a 3rd party OpenID provider and add as my e-mail address. Of course, given that I do not own the e-mail address I am unable to verify ownership of the e-mail address.
  • Yet, several OpenID providers pass along this unverified e-mail address during the OpenID handshake (e.g. largest Dutch OpenID provider facilitates this).
  • django-social-auth will incorrectly hook up my OpenID to John's account, based on the fact that it assumes my e-mail address is

DSA could narrow this issue by sending some confirmation email, but users would be annoyed with so many confirmations, the pipeline won't be hard to implement and those willing to ignore it can disable it easily. Besides that, I don't think another solution could be implemented to avoid that situation, a simpler approach would be to just add a comment to the docs explaining the risk of this setting.

This is a good problem to get solve, so I might take some time to implement the pipeline entry to send confirmations.


Associating by e-mail seems to be the default. This opens up a major security vulnerability in many existing DSA deployments that have OpenID enabled. Therefore, I feel you should at least change the defaults, perhaps even (temporarily) disable this feature completely.

@omab omab added a commit that closed this issue
@omab Default SOCIAL_AUTH_ASSOCIATE_BY_EMAIL to False to avoid some secury …
…risks (while it's not removed). Closes #356
@omab omab closed this in 9cd3579

There's another way in also:

If someone hacks an account at any of the social auth providers, they can then associate to unprotected django-socialauth sites, even if the legitimate user never set up such a linkage.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.