Ash Authentication Email Link Auto-Click Account Confirmation Vulnerability

A vulnerability in the Ash Authentication library for the Ash framework allows for unintended account confirmations. The issue arises because the account creation confirmation process uses a GET request activated by clicking a link in a confirmation email. Some email clients and security tools, such as Outlook and various virus scanners, may automatically follow these links, thereby confirming the account without the user's knowledge. This flaw enables an attacker to register an account using someone else's email address, potentially leading to the account being confirmed by the victim's email client. However, this vulnerability does not allow access to existing accounts or private data, and only affects the confirmation of new accounts.

Impact

Exploitation of this vulnerability could result in unauthorized account confirmations, allowing attackers to create accounts in another user's name without their consent.

Reproduction

To reproduce this vulnerability, register an account using an email address that the target user has access to. Once the account is created, the confirmation link will be sent via email. If the target user opens this email, their email client may automatically follow the link and confirm the account, without any interaction from them.

Remediation

Users are advised to upgrade to Ash Authentication version 4.7.0 or later. If using Ash Authentication Phoenix, upgrade to version 2.6.0 or later. After upgrading, set 'require_interaction? true' in the confirmation strategy and add 'confirm_route' to the router, above 'auth_routes'.