Identity Management / Missing Email Verification

Description

Missing email verification is a type of IT vulnerability that falls under the category of Identity Management (CWE-347). It occurs when an application does not require users to confirm their email address when registering for an account. This lack of verification allows malicious actors to easily create accounts with fake email addresses, which can be used for malicious purposes such as phishing and identity theft. The OWASP Testing Guide lists this vulnerability among its top 10 security risks.

Risk

The risk associated with this vulnerability is high, as it allows malicious actors to easily create accounts that can be used to perform malicious activities. This can lead to confidential data being stolen, as well as a loss of user trust and reputation.

Solution

The best way to fix this vulnerability is to ensure that all new user accounts require email verification before they can be used. This can be done by sending a unique code to the user's email address and requiring the user to enter the code before they can access their account.

Example

Here is an example of how this can be implemented in a web application.

// Generate a random code and send it to the user's email
$code = random_string();
send_email($user_email, “Verify your account”, $code);

// Prompt the user to enter the code
echo “Please enter the code sent to your email:”
$user_input = get_input();

// Verify the code
if ($user_input == $code) {
  // Allow the user to access the account
  allow_access();
} else {
  // Ask the user to try again
  echo “The code you entered is incorrect. Please try again.”
}