Sylius: Possible Data Protection issue with guest accounts
I think there may be a security issue using guest accounts.
Take the following scenario:
- Bob places an order as a guest (using [email protected]). Bob does not create an account.
- Alice then registers with Bob's email address and creates a password.
- Alice logs in and sees Bob's order history, address, telephone number etc
This is mitigated somewhat if the option to verify registrations by email is enabled. However, as this can deter some users from purchasing its likely that store owners would disable this.
If Alice had a long list of email addresses she could check them against the XHR endpoint that is used on the checkout page. She could then create accounts for any email addresses that don't have accounts and log in. She might get lucky and get access to user data.
This issue is related to this: https://github.com/Sylius/Sylius/issues/6883
euperia
All 2 comments
As for now, our recommendation would be to keep email verification turned on (that's the default). We'll add an appropriate tooltip to the channel management that explains this issue so that no one turns it off without knowing the consequences.
Currently, we assume there's only one customer for a given email so that we can't really unassign them on the case-by-case basis. We could mitigate that by adding a unique constraint on the customer for both email and user, instead of email only, so that registered customer could not see the orders made by an unregistered customer with the same email before.
As for the XHR endpoint, even without it, it could be checked easily by sending the registration form.
pamil
on 6 Aug 2020
This issue has been automatically marked as stale because it has not had any recent activity. It will be closed in a week if no further activity occurs. Thank you for your contributions.
![stale[bot] picture](https://avatars.githubusercontent.com/in/1724?v=4&s=40)
stale[bot]
on 25 Dec 2020
Related issues
inssein
路
3Comments
igormukhingmailcom
路
3Comments
loic425
路
3Comments
bnd170
路
3Comments
reyostallenberg
路
3Comments
Most helpful comment
As for now, our recommendation would be to keep email verification turned on (that's the default). We'll add an appropriate tooltip to the channel management that explains this issue so that no one turns it off without knowing the consequences.
Currently, we assume there's only one customer for a given email so that we can't really unassign them on the case-by-case basis. We could mitigate that by adding a unique constraint on the customer for both email and user, instead of email only, so that registered customer could not see the orders made by an unregistered customer with the same email before.
As for the XHR endpoint, even without it, it could be checked easily by sending the registration form.