undefined | Better HN

0 pointsaspect05451y ago0 comments

What can you do to prevent automatic confirmation in that case?

0 comments

I run an authorization service that allows to log-in using magic links and we managed to solve this. First approach was for the link opening GET request to do not log the user in, but to include an HTML page with JavaScript that issued a POST request with a code from the link to log the user in. This worked well for a long time, because email scanners were fetching links from emails with GET requests but did not execute JavaScript on the fetched pages. Unfortunately, some time ago Microsoft tools indeed started to render the fetched pages and execute JavaScript on them which broke the links. What works now is to check if the link is open in the same browser that requested the link (you can use a cookie to do it) and only automatically login the user in these cases. If a link is open in a different browser, show an additional button ('Login as <email address>') that the user needs to click to finish the login action. MS tools render the login page but do not click buttons on it.

The issue that MS tools introduced is broader, because it affects also email confirmation flows during signups. This is less visible, because usually the scanners will confirm emails that the user would like to confirm anyway. But without additional protection steps, the users can be signed up for services that they didn't request and MS tools will automatically confirm such signups.

szszrk1y ago

> check if the link is open in the same browser that requested the link (you can use a cookie to do it) and only automatically login the user in these cases. If a link is open in a different browser, show an additional button ('Login as <email address>') that the user needs to click to finish the login action.

Thanks for checking if it's the same browser. Some companies don't care about that (cough booking cough) so harmful actors just spam users with login attempts in hope a user will click by accident. And puff, random guy gets full access to your account. I got those every day, if I ever needed to login this way I would not be able to figure out which request is mine.

vanviegen1y ago

Wouldn't that just log you in on the browser doing the clicking, instead of the attackers browser?

1 more reply

keskival1y ago

Ok, what if an email has "click this link if it was you who tried to log-in", or "if it wasn't you"?

Will Microsoft automatically authenticate malicious actors, or block yourself from services built with assumptions that the email client won't auto-click everything?

mixedbit1y ago

Login links from my service were automatically clicked and rendered and I know that other services discovered similar problems. Based on this I think that it is very likely the case with all the links in emails, but I don't know if there is any additional heuristic involved that would treat some links differently.

See also this issue which suggests that all links are opened: https://techcommunity.microsoft.com/discussions/microsoftdef...

Note that this doesn't affect all Outlook users, this Microsoft Defender for Office 365 is a separate product that only some companies use.

ku1ik1y ago

That check for the same browser is a great idea. Thanks!

saagarjha1y ago

This can be annoying when you intentionally want to log in to a browser that is not the one making the request, such as an in-app browser.

pmontra1y ago

> But without additional protection steps, the users can be signed up for services that they didn't request and MS tools will automatically confirm such signups.

Indeed it's a bad thing but how bad?

The admins of some web service get a database of emails, send them those registration links, make their mail software create the accounts and? They end up with a service with accounts that they could create without sending those emails, before they send some emails to solicit users to perform some action on their (long forgotten?) account. There is no additional threat unless I'm missing something.

The admins have only an extra thin layer of protection because of the confirmation step but I think that any court can see through it.

mixedbit1y ago

The exploitation and potential damage would be service specific. Say a Dropbox like service for computer file syncing: An attacker creates an account for 'alice@example.org' and gets the signup email automatically confirmed. The attacker uploads some malware files to the account. After some time Alice attempts to create a valid account and resets password for 'alice@example.com'. Then Alice installs a desktop file syncing client provided by the service and malware files from the attacker get downloaded to her machine.

Another example would be if a company hosted a web app for employees that allowed signups only from @company.com addresses. In such case an attacker could be able to signup with such an address.

1 more reply

aftbit1y ago

It defeats the email verification entirely. If that weren't necessary for something, why would the site require it?

miohtama1y ago

The link leads to a page where you need to press a button (HTTP POST).

sandermvanvliet1y ago

As far as I know there’s nothing.

The alternative is to send an OTP in the mail and tell the user to enter that.

In that way there is no link to auto confirm.

However, if you do that ensure that you have a way to jump straight to the page to enter the OTP because (looking at you Samsung) the account registration process can expire or the app is closed (not active long enough) and your user is stuck

j / k navigate · click thread line to collapse

0 comments

mixedbit1y ago

szszrk1y ago

vanviegen1y ago

Wouldn't that just log you in on the browser doing the clicking, instead of the attackers browser?

1 more reply

keskival1y ago

Ok, what if an email has "click this link if it was you who tried to log-in", or "if it wasn't you"?

Will Microsoft automatically authenticate malicious actors, or block yourself from services built with assumptions that the email client won't auto-click everything?

mixedbit1y ago

See also this issue which suggests that all links are opened: https://techcommunity.microsoft.com/discussions/microsoftdef...

Note that this doesn't affect all Outlook users, this Microsoft Defender for Office 365 is a separate product that only some companies use.

ku1ik1y ago

That check for the same browser is a great idea. Thanks!

saagarjha1y ago

This can be annoying when you intentionally want to log in to a browser that is not the one making the request, such as an in-app browser.

pmontra1y ago

> But without additional protection steps, the users can be signed up for services that they didn't request and MS tools will automatically confirm such signups.

Indeed it's a bad thing but how bad?

The admins have only an extra thin layer of protection because of the confirmation step but I think that any court can see through it.

mixedbit1y ago

Another example would be if a company hosted a web app for employees that allowed signups only from @company.com addresses. In such case an attacker could be able to signup with such an address.

1 more reply

aftbit1y ago

It defeats the email verification entirely. If that weren't necessary for something, why would the site require it?

miohtama1y ago

The link leads to a page where you need to press a button (HTTP POST).

sandermvanvliet1y ago

As far as I know there’s nothing.

The alternative is to send an OTP in the mail and tell the user to enter that.

In that way there is no link to auto confirm.

j / k navigate · click thread line to collapse