Questioning the Security of Activation E-mail

When someone registers at my website, my registration script sends an “Activation Email” to the e-mail address used during registration.

The registrant get an e-mail like this…

Dear Jane Doe,

Thanks for creating a new account at www.Debbie.com

To activate your account, please click on the link below:

http://local.debbie/account/activate.php?x=0ff70b3a23cf00d0cd7936ee57feb60d

Sincerely,

Webmaster

Even though this is a very common approach, I am starting to question how secure it really is?! :-/

For example, what is stopping a hacker from trying to “brute force” the URL above and sending thousands of bogus requests, with the goal of activating Member Accounts where the actual “registrant” has not yet seen the e-mail?!

There is also the issue that a hacker could just keep sending requests trying to guess a particular registrant’s Activation Code.

Using this approach is supposed to be more secure, because the thought-process is that only the person who registered has access to his/her e-mail account, and so the Activation Email is safe.

But look at how low the bar is set with this e-mail!!!

I can see NOTHING that stops someone with too much time on his/her hands from just going to…


[U][COLOR="#0000FF"]h[B][/B]ttp://local.debbie/account/activate.php?x=[/COLOR][/U]

…and hacking away?! :eek:

I’m definitely not trying to make any additional work for myself, however, this whole “Member Account Activation Email” seems rather flaky the more I think about it…

Thoughts?

Sincerely,

Debbie

A hacker won’t be able to easily guess one of those URLs, since each one is unique, randomly generated, and is composed of a long string of characters.

Additionally, sometimes activation links are set to expire after a certain amount of time if they aren’t clicked.

But what is to stop some bored kid from sending a constant barrage of requests to the URL?

Once you know I am doing activation at this URL…


http://local.debbie/account/activate.php?x=

…the sky is the limit with the number of bogus requests you could send?! :shifty:

Sincerely,

Debbie

And they’d have to be able to brute force that guid…not real likely.

If you’re really feeling paranoid (hint :D), you can add a limit per IP address

[font=calibri]With nearly 10^50 possible 32-character strings (assuming only [0-9][a-z]). Yes, it is theoretically possible that if someone harvests the power of every internet-connected device under the sun to (a) submit a registration form from every known email address, and (b) constantly hit your server trying registration codes, there is a slim chance that they will hit a match and get lucky.

But even if they do, what have they gained? They’ve signed someone else up to your website. Is that the end of the world?

The main reason for double opt-in, for most subscriptions, is simply to avoid the annoyance of someone getting signed up to a service they didn’t want because some other muppet mistyped their own email address. There’s rarely any major security issue at stake.[/font]

Okay, so I would basically agree with what you - and others - are saying on this point.

But again, what about my other point that someone could end up slamming the “Activation URL” in an attempt to do a DOS attack?

Wouldn’t it be beneficial to have something similar to my Log-In page’s “3 Strikes and You’re Out”?

Hey, I don’t know?! I’m just trying to scrutinize all of my code, and trying to think of any places where there may be some holes… :shifty:

Sincerely,

Debbie

If all they want to do is to bring your server to its knees, all they have to do is to hit on website.com/?a=00000000000001, and then increment the number each time. It doesn’t matter whether you’ve got any security systems at all, or if it’s just a plain static site with a single page and nothing else.

Does the Activation process reveal the user’s email address or password?
If it simply activates the account, then it is akin to you remotely turning on the lights in my house but without any idea where I live.

Psst. Look at post #4.

Honestly, you have to weigh the benefits to the time and effort required. If you DO get attacked with a DDOS attack, take it as a sign that you made it. People only attack the sites that are worth the effort :slight_smile:

As I said in my original post…

The registrant get an e-mail like this…


Dear Jane Doe,

Thanks for creating a new account at www.Debbie.com

To activate your account, please click on the link below:

http://local.debbie/account/activate.php[COLOR="#FF0000"]?x=0ff70b3a23cf00d0cd7936ee57feb60d[/COLOR]

Sincerely,


Webmaster

Sincerely,

Debbie

My bad.

Isn’t true that doing any kind of filtering on IP can backfire, because companies like AOL - is that company even around?! - use the same IP for all of their users?!

Yes, that is true!

So, according to you guys, it sounds like my Activation Page is good enough for now…

Sincerely,

Debbie

DD,

If you send spam (unwanted e-mail), you are guilty of a (probably minor) cybercrime. While most are simply ignored (because hackers are good at hiding their origin), isn’t it worth the extra effort to confirm FROM THE ADDRESS USED that the person does want your e-mail?

Warning: To avoid SPAMMING with your confirmation messages, be sure to check the address against the database before sending more than one (within your timeout period, of course).

Regards,

DK

You really have a gift for coming out of left field with your comments sometimes…

I have no clue how what you said above pertains to this thread… :rolleyes:

Debbie

As already said, the likelihood of being able to successfully brute force an activation email is very slim. Anyone that has ever written a brute-force algorithm to reverse a hash will know that it would take many, many years to actually brute-force a GUID. That’s a mathematical certainty.

This should give you an idea what would be involved with brute forcing a GUID: http://blogs.msdn.com/b/oldnewthing/archive/2013/10/29/10461148.aspx

I have no way to verify if that link is accurate from a technical standpoint, but I get the point you are trying to get across to me… :wink:

Thanks for the link!

Sincerely,

Debbie

For the record, the blog is run by Raymond Chen, who has been a part of the Windows team at Microsoft since 1992, and is one of the most respected guys in tech. If there’s any one you should trust, it’s him.

Fair enough.

BTW, his post would have been stronger had he included this concept…

It doesn’t matter how many unique GUID’s there are. What we care about in this conversation is the percentage of GUID’s that are used.

If there are 10 zillion GUID combinations, but 5 zillion Members, then you have a 50/50 chance of randomly guessing a GUID which you could use to hack into a Session and account.

It is implied from his post that there are an insane amount of GUID’s out there, so my example above wouldn’t apply, but hopefully you see my point and the important distinction…

Sincerely,

Debbie

A properly implemented approach should have the link valid for a number of hours like if they do not click on the link after 24 hours the link expires.

In short, if you are concerned with security, chose a longer SALT value if you coded the site yourself if not raise the matter with the forum dev team that wrote the routine and get it from the horses mouth.

Your post assumes that no users have activated their accounts. As you cannot reactivate your account once it is already active this method of attack wouldn’t work.

What you’ve suggested is valid. Not for the GUID approach, as you’ll still need a few lifetimes to spare just to set up your rainbow table, but is very valid if you’ve rolled your own system, or if you email out temporary passwords (i.e. on a forgotten password link). I’ve known numerous sites that have done the latter, and have ultimately been hacked.