4

I've registered a GitHub account to test their email verification process. So:

  1. They've sent me an email with a link, containing my username and 40-chars code, like: https://github.com/users/USERNAME/emails/120066679/confirm_verification/47889d71648523e5d99db5b969f59809c2715fb6

  2. I have not followed the link

  3. 4 days later, the've sent me another (a reminder), that I have to verify my email, containing link with another different 40-chars code

So, what was the purpose of changing 40-chars code? As I remember, other services, used to expire verification code anyway. If there is already a username in verification link, is there really a need to do that? In case of brute force, I can just count failed attempts related to specific user and block it, right?

P.S. Also interesting, what is the purpose of emails/120066679 in link? (which is similar for both letters)

MaxCore
  • 2,438
  • 4
  • 25
  • 43
  • Do you know if they expire the link, when they do so and what are the ramifications of replay attack? You're making assumptions and they may or may not match the threat model that Github considered. ā€“ identigral Sep 04 '20 at 23:54
  • 1
    Iā€™m voting to close this question because it is a question about security practices, not about programming as defined by the [help]. You should pose this question on Security.SE instead. ā€“ TylerH Sep 11 '20 at 13:18

2 Answers2

4

There are several reasons why quick expiration of verification codes is the best practice.

If protection with a verification code is deemed appropriate, it's safest to make it not only complex enough but also valid for minimum amount of time. If you only make the code work for the time needed (usually really short), you diminish the risk of someone abusing it. (For example, someone could programmatically 'guess' the codes - the more time for this exercise, the higher chance for success.)

Also, it's not efficient to store data of this kind. It's used once, it doesn't contain any actual information and as soon as it's used, it's ready to be "thrown away". It's not a good practice to store anything that doesn't add value when stored.

In addition, it's fairly rare that users don't use the codes immediately/soon. For the small percentage of cases where the code expires by the time the user tries to use it, it's more efficient to generate new ones.

colourCoder
  • 1,394
  • 2
  • 11
  • 18
3

Well, the purpose of an email validation link is to make sure that you actually own the email. Most validation links simply contain some secret that they send out your way, only in the possession of which may you verify the email address.

The reason they changed the code is because it probably expires. In that case you could not activate the account, so they sent you another in case you'd like to continue.

What if they don't send out a secret like this then?

In that case there is nothing that prevents an attacker from "verifying" emails that they actually have no control over. They could just visit the url with the username plugged in and activate the account.

Normal users would not do this, but spammers might.

For the case of brute force: If the secret is sufficiently random, and the keyspace is large enough, trying to guess it is a fool's errand.

We can assume this is a random 40 hex char number, which gives us:

16**40 == 1461501637330902918203684832716283019655932542976

possible values for it. It is safe to say that no one will guess this number in the near future.

gergelykalman
  • 177
  • 7