Comment by herczegzsolt

4 days ago

In my opponion, all of those cases very well justify a manual check, or some sort of extended identification before the user is let in.

It indicates a deeper cultural issue of "convenience/profit over security" if those are sufficient reasons to not check the sub parameter.

5 comments

herczegzsolt

> all of those cases very well justify a manual check, or some sort of extended identification before the user is let in.

Just curious, what would that check look like that's not open to the same vuln?

herczegzsolt 4 days ago

For example a call to the registered owner or contact person of the organizaton (not the user).
Any out-of-band communication should work which checks for the legal entity, not just something that eventually relies on DNS.
Alternatively, you can always just not let them access the old user, and create a new one instead.
ycombinatrix 4 days ago
"Your account seems to have changed hands and is locked for your security.
The person paying for your subscription must contact us to verify your account is still legit."
- chavesn 4 days ago
  
  Right, and how would you further verify “the person paying for your subscription”?
  
  1 reply →