The confirmation flow for account creation currently uses a GET request triggered by clicking a link sent via email. Some email clients and security tools (e.g., Outlook, virus scanners, and email previewers) may automatically follow these links, unintentionally confirming the account. This allows an attacker to register an account using another user’s email and potentially have it auto-confirmed by the victim’s email client.
This does not allow attackers to take over or access existing accounts or private data. It is limited to account confirmation of new accounts only.
A mitigation has been released in version 4.7.0. You will also need to upgrade to 2.6.0 or later of ash_authentication_phoenix to take advantage of the autogenerated views for confirmation. The fix updates the confirmation flow to require explicit user interaction (such as clicking a button on the confirmation page) rather than performing the confirmation via a GET request. This ensures that automatic link prefetching or scanning by email clients does not unintentionally confirm accounts.
To mitigate, follow these steps:
ash_authentication >= 4.7.0ash_authentication_phoenix >= 2.6.0 (if using ash_authentication_phoenix)require_interaction? true in your confirmation strategy.confirm_route to your router, if using ash_authentication_phoenix above auth_routes.require_interaction? truemodify your confirmation strategy like so:
confirmation <strategy_name> do
...
require_interaction? true
end
confirm_route to your routerIn order to use this new confirmation flow, you will need to add this to your router to get the desired behavior. It will add a new route to the new confirmation page LiveView. Note the path and token_as_route_param? options, required for keeping backwards compatibility with current defaults. You may need to adjust if you have...
4.7.0Exploitability
AV:NAC:LPR:NUI:NScope
S:UImpact
C:NI:LA:NCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N