GHSA-3988-q8q7-p787

Impact

The confirmation flow for account creation currently uses a GET request triggered by clicking a link sent via email. Some email clients and security tools (e.g., Outlook, virus scanners, and email previewers) may automatically follow these links, unintentionally confirming the account. This allows an attacker to register an account using another user’s email and potentially have it auto-confirmed by the victim’s email client.

This does not allow attackers to take over or access existing accounts or private data. It is limited to account confirmation of new accounts only.

Patches

A mitigation has been released in version 4.7.0. You will also need to upgrade to 2.6.0 or later of ash_authentication_phoenix to take advantage of the autogenerated views for confirmation. The fix updates the confirmation flow to require explicit user interaction (such as clicking a button on the confirmation page) rather than performing the confirmation via a GET request. This ensures that automatic link prefetching or scanning by email clients does not unintentionally confirm accounts.

To mitigate, follow these steps:

1. Upgrade ash_authentication >= 4.7.0
2. Upgrade ash_authentication_phoenix >= 2.6.0 (if using ash_authentication_phoenix)
3. Set require_interaction? true in your confirmation strategy.
4. Add confirm_route to your router, if using ash_authentication_phoenix above auth_routes.

Setting require_interaction? true

modify your confirmation strategy like so:

confirmation <strategy_name> do
  ...
  require_interaction? true
end

Adding the confirm_route to your router

In order to use this new confirmation flow, you will need to add this to your router to get the desired behavior. It will add a new route to the new confirmation page LiveView. Note the path and token_as_route_param? options, required for keeping backwards compatibility with current defaults. You may need to adjust if you have changed those routes in some way.

IMPORTANT - above auth_routes

Make sure this goes above auth_routes if you are using the path option, and it begins with /auth, or whatever your configured auth_routes_prefix is. auth_routes greedily handles all routes at the configured path.

confirm_route(
  MyApp.Accounts.User,
  <confirmation_strategy_name>,
  auth_routes_prefix: "/auth",
  overrides: [MyAppWeb.AuthOverrides, AshAuthentication.Phoenix.Overrides.Default],
  # use these options to keep your currently issued confirmation emails compatible
  # without the options below, the route will default to `/<the_strategy_name>/:token`
  path: "/auth/user/<confirmation_strategy_name>",
  token_as_route_param?: false
)

Users should upgrade to version 4.7.0 as soon as possible, and set require_interaction? to true in their confirmation strategy. This will change the GET request generated for confirming to a POST request.

If you upgrade to this version and do not set require_interaction? to true, compilation will be fail with a message linking to this advisory. This error can be bypassed if, for example, you are confident that you are not affected.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading? You can disable the confirmation routes and create your own live view. We highly advised that you upgrade and take advantage of the builtin views if possible. If you are not using the provided views, you will need to add a confirmation LiveView, that does a POST to the old confirmation url instead of a GET. You would do this by taking the token a parameter out of the link, and adding it as a hidden field to a form. That form would have no inputs, only a button that posts to the confirmation URL. If you are using Liveview, this would be done with phx-trigger-action and phx-action.