Headline
GHSA-3988-q8q7-p787: ash_authentication has email link auto-click account confirmation vulnerability
Impact
The confirmation flow for account creation currently uses a GET request triggered by clicking a link sent via email. Some email clients and security tools (e.g., Outlook, virus scanners, and email previewers) may automatically follow these links, unintentionally confirming the account. This allows an attacker to register an account using another user’s email and potentially have it auto-confirmed by the victim’s email client.
This does not allow attackers to take over or access existing accounts or private data. It is limited to account confirmation of new accounts only.
Patches
A mitigation has been released in version 4.7.0. You will also need to upgrade to 2.6.0 or later of ash_authentication_phoenix to take advantage of the autogenerated views for confirmation. The fix updates the confirmation flow to require explicit user interaction (such as clicking a button on the confirmation page) rather than performing the confirmation via a GET request. This ensures that automatic link prefetching or scanning by email clients does not unintentionally confirm accounts.
To create a route to a prebuilt confirmation page, use the following in your router, in the same place as your auth routes.
confirm_route(
MyApp.Accounts.User,
<confirmation_strategy_name>,
auth_routes_prefix: "/auth",
overrides: [MyAppWeb.AuthOverrides, AshAuthentication.Phoenix.Overrides.Default],
# use these options to keep your currently issued confirmation emails compatible
# without the options below, the route will default to `/<the_strategy_name>/:token`
path: "/auth/user/<confirmation_strategy_name>",
token_as_route_param?: false
)
Users should upgrade to version 4.7.0 as soon as possible, and set require_interaction? to true in their confirmation strategy. This will change the GET request generated for confirming to a POST request.
If you upgrade to this version and do not set require_interaction? to true, compilation will be fail with a message linking to this advisory. This error can be bypassed if, for example, you are confident that you are not affected.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
You can disable the confirmation routes and create your own live view. We highly advised that you upgrade and take advantage of the builtin views if possible. If you are not using the provided views, you will need to add a confirmation LiveView, that does a POST to the old confirmation url instead of a GET. You would do this by taking the token a parameter out of the link, and adding it as a hidden field to a form. That form would have no inputs, only a button that posts to the confirmation URL. If you are using Liveview, this would be done with phx-trigger-action and phx-action.
Impact
The confirmation flow for account creation currently uses a GET request triggered by clicking a link sent via email. Some email clients and security tools (e.g., Outlook, virus scanners, and email previewers) may automatically follow these links, unintentionally confirming the account. This allows an attacker to register an account using another user’s email and potentially have it auto-confirmed by the victim’s email client.
This does not allow attackers to take over or access existing accounts or private data. It is limited to account confirmation of new accounts only.
Patches
A mitigation has been released in version 4.7.0. You will also need to upgrade to 2.6.0 or later of ash_authentication_phoenix to take advantage of the autogenerated views for confirmation. The fix updates the confirmation flow to require explicit user interaction (such as clicking a button on the confirmation page) rather than performing the confirmation via a GET request. This ensures that automatic link prefetching or scanning by email clients does not unintentionally confirm accounts.
To create a route to a prebuilt confirmation page, use the following in your router, in the same place as your auth routes.
confirm_route( MyApp.Accounts.User, <confirmation_strategy_name>, auth_routes_prefix: "/auth", overrides: [MyAppWeb.AuthOverrides, AshAuthentication.Phoenix.Overrides.Default], # use these options to keep your currently issued confirmation emails compatible # without the options below, the route will default to `/<the_strategy_name>/:token` path: "/auth/user/<confirmation_strategy_name>", token_as_route_param?: false )
Users should upgrade to version 4.7.0 as soon as possible, and set require_interaction? to true in their confirmation strategy. This will change the GET request generated for confirming to a POST request.
If you upgrade to this version and do not set require_interaction? to true, compilation will be fail with a message linking to this advisory. This error can be bypassed if, for example, you are confident that you are not affected.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
You can disable the confirmation routes and create your own live view. We highly advised that you upgrade and take advantage of the builtin views if possible. If you are not using the provided views, you will need to add a confirmation LiveView, that does a POST to the old confirmation url instead of a GET. You would do this by taking the token a parameter out of the link, and adding it as a hidden field to a form. That form would have no inputs, only a button that posts to the confirmation URL. If you are using Liveview, this would be done with phx-trigger-action and phx-action.
References
- GHSA-3988-q8q7-p787
- team-alembic/ash_authentication@99ea389