[Security Bug] I can keep using the same link to activate+login indefinitely

  • Resolved howson

    (@howson)


    4 years, 6 months ago

    I recently discovered that the verification code is not flag as used after the user have verified.

    Meaning I can use the same code to activate and auto login over and over again.

    Doesn’t seems to be very secure. Is this a bug?

    • This topic was modified 4 years, 6 months ago by howson.
    • This topic was modified 4 years, 6 months ago by howson.
Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author WPFactory

    (@wpcodefactory)

    Hello @howson ,
    We have a feature that could probably solve this issue but it’s only available in Pro version for now. The feature name is:
    – Expire activation link

    Anyway we’ll be working on your suggestion trying to make the link active only once

    • This reply was modified 4 years, 6 months ago by WPFactory.
    • This reply was modified 4 years, 6 months ago by WPFactory.
    Thread Starter howson

    (@howson)

    The expiration link technically solve part of the issue, however as long as that link is not expired people can keep using that verification link to login without a password.

    Would really appreciate if you can work on a one time use activation link, as this will greatly improve security. Is there an estimation on when this can be roll out?

    Thanks.

    Plugin Author WPFactory

    (@wpcodefactory)

    Hi @howson ,
    Don’t worry. We are creating a new option for it and we’ll release on the next version as a free feature.

    Thanks for the suggestion ??

    Plugin Author WPFactory

    (@wpcodefactory)

    Hello @howson
    We’ve created a new option for you on the last version (1.9.5) called:
    – One-time activation link

    Let me know if it works ??

    Plugin Author WPFactory

    (@wpcodefactory)

    Hi, I’m marking it as “resolved” for now. Let me know if you notice anything else or still want some help ??

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘[Security Bug] I can keep using the same link to activate+login indefinitely’ is closed to new replies.