locked Auto-Login On Invite


I have mixed feelings on this, so I thought I'd type it all out and see what happens.

I noticed when someone invited me to a group, I got the email notice as expected.  I was not already logged in to Groups.IO.  When I clicked on the link to join the group, I was automatically logged in, so didn't have to type my password or anything.

This is nice in one sense, as it makes it easy to join groups in response to invitations.  One complaint over at Yahoo Groups is that some people can't figure out how to manage invitations, why is why they're always asking for the direct add feature back.  I assume here at Groups.IO, that if an invited person didn't already have an account set up, that person would be guided through the process, upon clicking the link, right?

And then there are the concerns.  I usually don't like links that assume you're the recipient of the mail beyond any doubt, because emails get forwarded to other people, who then click on the links, and the site treats them as the original user.  For the more paranoid among us, links in emails are also visible to the people who run the mail server, and mail is frequently transmitted without encryption to anyone who is watching.  If I wanted to attack someone's Groups.IO account, and I had a way to see the email being sent to them, I could create a group, invite that person to it, then use that invite link to break into the account.

Is that likely to happen in real life?  Probably not.  Which is why I have mixed feelings about it.  I would have felt safer if I had been forced to log in with a password, though.


Join main@beta.groups.io to automatically receive all group messages.