Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Improvement]: Emails are not being verified during sign up. #334

Open
RishabhJain0721 opened this issue Mar 3, 2024 · 5 comments
Open

[Security Improvement]: Emails are not being verified during sign up. #334

RishabhJain0721 opened this issue Mar 3, 2024 · 5 comments
Labels
Future Work

Comments

@RishabhJain0721
Copy link
Contributor

RishabhJain0721 commented Mar 3, 2024
edited
Loading

Description 📝

There is a vulnerability in the authentication system of the project. The issue allows any random email, whether it exists or not, to be used to sign up and subsequently log in.

Link 🔗

https://retlab-dev.firebaseapp.com/signup

Steps to Reproduce 🔄

  1. Go to the sign up page.
  2. Try signing up with a non-existent email account.

Screenshots 📸

Screenshot 2024-03-04 001705

Expected Behavior 🤔

The expected flow of control in my perspective should be like this :

  1. A user fills the sign up form.
  2. User clicks the sign up button.
  3. An email is sent to that user's email with a verification link in it.
  4. As soon as the user clicks on the verification link sent to their email, the user should get verified and redirected to the home page.

Actual Behavior 😱

  1. A user fills the sign up form.
  2. User clicks the sign up button.
  3. Account is created and user can now login.

Environment 🌍

  • OS: Windows
  • Browser: Brave

Additional Information ℹ️

This vulnerability could allow unauthorized users to gain access to user accounts, potentially leading to unauthorized actions, and other security incidents. Implementing email verification, would be a great mitigation step.
@RishabhJain0721 RishabhJain0721 added the Bug Something isn't working label Mar 3, 2024
@RishabhJain0721
Copy link
Contributor Author

RishabhJain0721 commented Mar 4, 2024
edited
Loading

Hey @jvJUCA
I would like to work on this issue by setting up an email verification using firebase authentication to verify new users. Please assign me this issue.

@KarinePistili KarinePistili removed the Bug Something isn't working label Mar 5, 2024
@KarinePistili
Copy link
Member

Hello @RishabhJain0721, I removed the bug tag as this is not a bug, but an improvement to the code.

For the present moment we are not interested on implementing this specific feature. We will leave this issue opened for future work.

Thank you for the suggestions.

@KarinePistili KarinePistili changed the title [🐞 BUG]: Emails are not being verified during sign up. [Security Improvement]: Emails are not being verified during sign up. Mar 5, 2024
@KarinePistili KarinePistili added Future Work Enhancement New feature or request labels Mar 5, 2024
@RishabhJain0721
Copy link
Contributor Author

@KarinePistili Alright thanks for the correction.

@solvibrain
Copy link

Could I work on this Issue?

@KarinePistili
Copy link
Member

hello @solvibrain, this issue is currently marked as future work and won't be done by now. Feel free to find another issue if you there is something you find interesting ;)

@KarinePistili KarinePistili removed the Enhancement New feature or request label Apr 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Future Work
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@KarinePistili @RishabhJain0721 @solvibrain