任何已验证电子邮件地址的帐户都可以与未验证电子邮件地址的帐户合并吗?

发布于 2024-10-17 17:52:31 字数 594 浏览 5 评论 0原文

比如说,如果使用 Stock Overflow 的登录系统 OpenID Selector,或者实际上允许使用 Facebook 或 Twitter 以及 OpenID 登录的 JanRain,那么某些电子邮件地址将无法验证。

在原来的网站上,如果电子邮件地址未经过验证,也许我们可以合并两个帐户(将它们视为一个用户),如果 OpenID 或 JanRain 使用经过验证的电子邮件地址登录用户,并且我们当前的用户帐户也有一个具有该地址的用户 电子邮件地址(但未经验证)——真正的用户现在可以控制该帐户。

但是,如果黑客注册了名人的名字怎么办? 电子邮件地址,然后只需等待几个月,直到名人使用 OpenID 或 Facebook 与经过验证的电子邮件地址“合并” 两个帐户。

(该网站可以宣布帐户已合并,但名人可能不记得他或她以前是否在该网站注册过。因此他或她可能不会感到安全漏洞)。所以,安全风险是。 现在,无论名人做什么——将项目保存到列表等,黑客现在都可以默默地监视正在做什么。

那么,如果任何帐户有未经验证的电子邮件地址,则任何其他帐户都不应与其合并,这是真的吗?仅当两个帐户 拥有相同的经过验证的电子邮件地址,那么这些帐户可以被视为一个帐户。

这是真的吗?或者规则可以比这更灵活吗?

Say, if using OpenID Selector which is Stock Overflow's log in system, or JanRain, which actually allows using Facebook or Twitter to log in as well as OpenID, then, some email address are not verified.

On the original website, if an email addresses is not verified, maybe we can merge two accounts (treat them as one user) if
OpenID or JanRain logs in a user with an email address that is verified, and our current user accounts also has a user with that
email address (but unverified) -- the real user can take control of the account now.

But, what if a hacker register a celebrity's
email address, and then just wait months until the celebrity uses OpenID or Facebook with the verified email address to "merge" the
two accounts.

(The website can announce the accounts are merged, but the celebrity may not remember whether he or she previously has sign up in that website. so he or she may not feel security breach). So, the security risk is.
Now whatever the celebrity does -- saving items to a list, etc, the hacker can now silently monitor what is being done.

So is it true that if any account has an unverified email address, no other account should merge with it. Only if both accounts
have that same verified email address, then those accounts can be treated as one single account.

Is this true, or can the rule be more flexible than this?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

鸩远一方 2024-10-24 17:52:31

我认真地认为不验证用户的电子邮件帐户是一个坏主意。

我知道它简化了流程,但它可以很容易地用于将您的邮件服务器列入黑名单。想象一下,当您向会员发送大量电子邮件时,其中很多都是伪造的,您可能会被这些伪造的电子邮件举报为垃圾邮件。

拥有一个经过验证的电子邮件系统,向他们发送一封带有链接的电子邮件,要求他们点击它来完成注册,这是一个更好的系统。

I seriously think it is a bad idea not to verify the email account of a user.

I understand that it simplifies the flow, but it could be easily used to say blacklist your mail server. Imagine when you send out mass emails to your members, and a lot of them are bogus, you may be reported by these bogus emails as spam.

Having a verified email system, by sending them a email with a link requiring them to click on it to complete the registration is a better system.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文