Topics

locked Auto-Login On Invite


 

I have mixed feelings on this, so I thought I'd type it all out and see what happens.

I noticed when someone invited me to a group, I got the email notice as expected.  I was not already logged in to Groups.IO.  When I clicked on the link to join the group, I was automatically logged in, so didn't have to type my password or anything.

This is nice in one sense, as it makes it easy to join groups in response to invitations.  One complaint over at Yahoo Groups is that some people can't figure out how to manage invitations, why is why they're always asking for the direct add feature back.  I assume here at Groups.IO, that if an invited person didn't already have an account set up, that person would be guided through the process, upon clicking the link, right?

And then there are the concerns.  I usually don't like links that assume you're the recipient of the mail beyond any doubt, because emails get forwarded to other people, who then click on the links, and the site treats them as the original user.  For the more paranoid among us, links in emails are also visible to the people who run the mail server, and mail is frequently transmitted without encryption to anyone who is watching.  If I wanted to attack someone's Groups.IO account, and I had a way to see the email being sent to them, I could create a group, invite that person to it, then use that invite link to break into the account.

Is that likely to happen in real life?  Probably not.  Which is why I have mixed feelings about it.  I would have felt safer if I had been forced to log in with a password, though.

JohnF



 

On Tue, Jan 20, 2015 at 7:50 PM, JohnF via GROUPS.IO <user+1242@groups.io> wrote:

This is nice in one sense, as it makes it easy to join groups in response to invitations.  One complaint over at Yahoo Groups is that some people can't figure out how to manage invitations, why is why they're always asking for the direct add feature back.  I assume here at Groups.IO, that if an invited person didn't already have an account set up, that person would be guided through the process, upon clicking the link, right?

Correct. If you don't yet have an account, you're asked to create a password, and an account is created as part of the invite process. If you do have an account, and if you're logged in as that person, it just asks you for your subscription preference. If you are logged in as a different person than the invite was for, you're logged out and asked to log in (or create a password if the other person doesn't have an account).

If the invite is for an existing account, you are automatically logged in. This is a security risk if someone else gets your invite email, which would have to be through some man in the middle attack, or from you forwarding your invite email after you received it. Seems a small risk.

I've thought about other instances along the same line. It'd be really great if the Unsubscribe link in the email footers was a one click unsubscribe, regardless of whether you were logged in or not. But I don't think that's safe.

Mark