保護DataHogo
Security Encyclopedia/Auth Best Practices
mediumCWE-358A07:2021

No Email Verification

Allowing unverified email accounts lets attackers register with someone else's email address, potentially locking them out or impersonating them.

How It Works

Without email verification, anyone can register with admin@company.com or user@competitor.com. This enables account pre-hijacking (register before the real owner does), spam from your platform, and abusing free tier limits with throwaway addresses.

Vulnerable Code
// BAD: account created and immediately usable without email verification
async function register(email: string, password: string) {
  const user = await createUser({ email, password, verified: true }); // no verification
  return createSession(user);
}
Secure Code
// GOOD: send verification email and require confirmation before full access
async function register(email: string, password: string) {
  const user = await createUser({ email, password, verified: false });
  const token = generateVerificationToken();
  await saveVerificationToken(user.id, token);
  await sendVerificationEmail(email, token);
  return { message: 'Check your email to verify your account' };
}

Real-World Example

Account pre-hijacking attacks were documented in a 2022 academic paper that found 75 popular websites (including LinkedIn and Instagram) vulnerable to registering with another user's email before they signed up, then taking over the account when the victim registers via OAuth.

How to Prevent It

  • Require email verification before granting full account access
  • Use time-limited, single-use verification tokens (expire after 24 hours)
  • Limit what unverified accounts can do — read-only or no API access
  • Implement the verification token with a cryptographically random value (32+ bytes)

Affected Technologies

Node.js

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

No Password Policy

medium

Accepting any password — including '123' or 'a' — makes your user accounts trivially vulnerable to credential stuffing and brute force attacks.

CWE-521A07:2021

No Rate Limit on Login

medium

A login endpoint without rate limiting can be brute-forced thousands of times per second until a valid password is found.

CWE-307A07:2021

No MFA/2FA

low

Without multi-factor authentication, a stolen or guessed password is all it takes to fully compromise an account.

CWE-308A07:2021

Password Reset Token Without Expiry

medium

Password reset links that never expire stay valid indefinitely — an old email in a breach gives attackers a permanent account takeover path.

CWE-640A07:2021