You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@airavata.apache.org by "Marcus Christie (JIRA)" <ji...@apache.org> on 2017/10/09 15:39:00 UTC

[jira] [Commented] (AIRAVATA-2552) Gateway user received 400+ account verification emails !!!

    [ https://issues.apache.org/jira/browse/AIRAVATA-2552?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16197161#comment-16197161 ] 

Marcus Christie commented on AIRAVATA-2552:
-------------------------------------------

In the Apache logs I'm seeing requests from about 3 different user agents for multiple different confirm-user-registration emails.

{noformat}
68.100.57.219 - - [07/Oct/2017:09:17:19 -0400] "GET /confirm-user-registration?username=mikell_p&code=59d8d2d18b717 HTTP/1.1" 302 344 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Safari/604.1.38"
70.42.131.106 - - [07/Oct/2017:09:21:01 -0400] "GET /confirm-user-registration?username=mikell_p&code=59d8d2d18b717 HTTP/1.1" 200 14843 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)"
70.42.131.106 - - [07/Oct/2017:09:22:10 -0400] "GET /confirm-user-registration?username=mikell_p&code=59d8d2d18b717 HTTP/1.1" 200 14843 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
70.42.131.106 - - [07/Oct/2017:09:22:38 -0400] "GET /confirm-user-registration?username=mikell_p&code=59d8d2d18b717 HTTP/1.1" 200 14843 "-" "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko"
74.217.90.250 - - [07/Oct/2017:09:24:03 -0400] "GET /confirm-user-registration?username=mikell_p&code=59d8d51f25c34 HTTP/1.1" 302 344 "-" "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko"
74.217.90.250 - - [07/Oct/2017:09:24:11 -0400] "GET /confirm-user-registration?username=mikell_p&code=59d8d51f25c34 HTTP/1.1" 200 14843 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)"
74.217.90.250 - - [07/Oct/2017:09:24:11 -0400] "GET /confirm-user-registration?username=mikell_p&code=59d8d51f25c34 HTTP/1.1" 200 14843 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
74.217.90.250 - - [07/Oct/2017:09:25:26 -0400] "GET /confirm-user-registration?username=mikell_p&code=59d8d57c2b40c HTTP/1.1" 302 344 "-" "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko"
74.217.90.250 - - [07/Oct/2017:09:25:27 -0400] "GET /confirm-user-registration?username=mikell_p&code=59d8d57c20e66 HTTP/1.1" 200 14843 "-" "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko"
74.217.90.250 - - [07/Oct/2017:09:25:35 -0400] "GET /confirm-user-registration?username=mikell_p&code=59d8d57c2b40c HTTP/1.1" 200 14843 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
...
70.42.131.106 - - [07/Oct/2017:09:57:04 -0400] "GET /confirm-user-registration?username=mikell_p&code=59d8dafc77ef4 HTTP/1.1" 200 14843 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
70.42.131.106 - - [07/Oct/2017:09:57:12 -0400] "GET /confirm-user-registration?username=mikell_p&code=59d8daff708b2 HTTP/1.1" 200 14843 "-" "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko"
70.42.131.106 - - [07/Oct/2017:09:57:13 -0400] "GET /confirm-user-registration?username=mikell_p&code=59d8dafd1d37c HTTP/1.1" 200 14843 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)"
70.42.131.106 - - [07/Oct/2017:09:57:13 -0400] "GET /confirm-user-registration?username=mikell_p&code=59d8dafd1d37c HTTP/1.1" 200 14843 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
70.42.131.106 - - [07/Oct/2017:09:57:16 -0400] "GET /confirm-user-registration?username=mikell_p&code=59d8dafc9cec4 HTTP/1.1" 200 14843 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)"
70.42.131.106 - - [07/Oct/2017:09:57:23 -0400] "GET /confirm-user-registration?username=mikell_p&code=59d8dafc77ef4 HTTP/1.1" 200 14843 "-" "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko"
70.42.131.106 - - [07/Oct/2017:09:57:42 -0400] "GET /confirm-user-registration?username=mikell_p&code=59d8db21b5087 HTTP/1.1" 200 14843 "-" "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko"
70.42.131.106 - - [07/Oct/2017:09:57:49 -0400] "GET /confirm-user-registration?username=mikell_p&code=59d8dafc9cec4 HTTP/1.1" 200 14843 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
70.42.131.106 - - [07/Oct/2017:09:58:43 -0400] "GET /confirm-user-registration?username=mikell_p&code=59d8dafd1d37c HTTP/1.1" 200 14843 "-" "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko"
70.42.131.106 - - [07/Oct/2017:09:58:43 -0400] "GET /confirm-user-registration?username=mikell_p&code=59d8dafc9cec4 HTTP/1.1" 200 14843 "-" "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko"
{noformat}

Looks like the first one, which is from Safari, was successful in confirming the user and enabling the account.

The others .. are weird. The User Agents look like the ones for IE 8, IE 9 and IE 11.  Looks like for every unique code generated it gets loaded by IE 8, IE 9 and IE 11.

My initial guess is that an email client is trying to load a preview of the email and is trying different browser versions in case only certain browser versions are allowed.  This would explain why there are so many so quickly, since this could setup a feedback loop where invalid confirmation codes trigger new emails and the email client reading those emails trigger more invalid user confirmation requests.  But I'm doubtful of this because I've never heard of an email client preloading urls with different user agents.

If it is an email client automatically loading the URL then this would be a bigger problem since that would allow an attacker to create an account using another user's email address and that other user's email client would "confirm" the registration for them.  But this is a widespread practice to send user's links to confirm their email address, so I would be surprised if this is the case.  Also, email clients tend to be shy about loading URLs in emails except for images from known and trusted senders.

As far as mitigation, we could not send another confirmation email when the user is already confirmed.  That would have prevented this issue.

> Gateway user received 400+ account verification emails !!!
> ----------------------------------------------------------
>
>                 Key: AIRAVATA-2552
>                 URL: https://issues.apache.org/jira/browse/AIRAVATA-2552
>             Project: Airavata
>          Issue Type: Bug
>          Components: Keycloak Authentication, PGA PHP Web Gateway
>    Affects Versions: 0.18
>         Environment: https://seagrid.org/
>            Reporter: Eroma
>            Assignee: Marcus Christie
>             Fix For: 0.19
>
>
> A seagrid user has got over 400+ account verification emails. each of them has gone with different verification link. he has got them even after Sudhakar changes his role to gateway_user.
> He has created his account on saturday around 9.17 am and sudhakar has given his gateway_user after about 10 minutes. First cae reported and I looked in the email for about past 5 months and this is the first time.
> First email veirifaction to user - Sat, Oct 7, 2017 at 9:12 AM
> New user account creation to SGG & Sudhakar -   Sat, Oct 7, 2017 at 9:17 AM
> Second email verification -   Sat, Oct 7, 2017 at 9:21 AM
> Third email verification -   Sat, Oct 7, 2017 at 9:21 AM
> Forth email verification  - Sat, Oct 7, 2017 at 9:22 AM
> Privilege changed email -   Sat, Oct 7, 2017 at 9:29 AM
> He has got 7 more before he got prviilaege change emails
> Rest of the 430+ verification emails hase gone while the account was enabled
> user account: mikell_p
> He was using his university email.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)