任何已验证电子邮件地址的帐户都可以与未验证电子邮件地址的帐户合并吗?
比如说,如果使用 Stock Overflow 的登录系统 OpenID Selector,或者实际上允许使用 Facebook 或 Twitter 以及 OpenID 登录的 JanRain,那么某些电子邮件地址将无法验证。
在原来的网站上,如果电子邮件地址未经过验证,也许我们可以合并两个帐户(将它们视为一个用户),如果 OpenID 或 JanRain 使用经过验证的电子邮件地址登录用户,并且我们当前的用户帐户也有一个具有该地址的用户 电子邮件地址(但未经验证)——真正的用户现在可以控制该帐户。
但是,如果黑客注册了名人的名字怎么办? 电子邮件地址,然后只需等待几个月,直到名人使用 OpenID 或 Facebook 与经过验证的电子邮件地址“合并” 两个帐户。
(该网站可以宣布帐户已合并,但名人可能不记得他或她以前是否在该网站注册过。因此他或她可能不会感到安全漏洞)。所以,安全风险是。 现在,无论名人做什么——将项目保存到列表等,黑客现在都可以默默地监视正在做什么。
那么,如果任何帐户有未经验证的电子邮件地址,则任何其他帐户都不应与其合并,这是真的吗?仅当两个帐户 拥有相同的经过验证的电子邮件地址,那么这些帐户可以被视为一个帐户。
这是真的吗?或者规则可以比这更灵活吗?
Say, if using OpenID Selector which is Stock Overflow's log in system, or JanRain, which actually allows using Facebook or Twitter to log in as well as OpenID, then, some email address are not verified.
On the original website, if an email addresses is not verified, maybe we can merge two accounts (treat them as one user) if
OpenID or JanRain logs in a user with an email address that is verified, and our current user accounts also has a user with that
email address (but unverified) -- the real user can take control of the account now.
But, what if a hacker register a celebrity's
email address, and then just wait months until the celebrity uses OpenID or Facebook with the verified email address to "merge" the
two accounts.
(The website can announce the accounts are merged, but the celebrity may not remember whether he or she previously has sign up in that website. so he or she may not feel security breach). So, the security risk is.
Now whatever the celebrity does -- saving items to a list, etc, the hacker can now silently monitor what is being done.
So is it true that if any account has an unverified email address, no other account should merge with it. Only if both accounts
have that same verified email address, then those accounts can be treated as one single account.
Is this true, or can the rule be more flexible than this?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我认真地认为不验证用户的电子邮件帐户是一个坏主意。
我知道它简化了流程,但它可以很容易地用于将您的邮件服务器列入黑名单。想象一下,当您向会员发送大量电子邮件时,其中很多都是伪造的,您可能会被这些伪造的电子邮件举报为垃圾邮件。
拥有一个经过验证的电子邮件系统,向他们发送一封带有链接的电子邮件,要求他们点击它来完成注册,这是一个更好的系统。
I seriously think it is a bad idea not to verify the email account of a user.
I understand that it simplifies the flow, but it could be easily used to say blacklist your mail server. Imagine when you send out mass emails to your members, and a lot of them are bogus, you may be reported by these bogus emails as spam.
Having a verified email system, by sending them a email with a link requiring them to click on it to complete the registration is a better system.