Abusing non unique email address as login

beef · August 12, 2019, 1:48pm

Does anyone have any thoughts on a system that is set to allow users to create accounts with non unique email addresses? This feels like there could be some way to abuse the system and create problems if two totally separate users could create accounts with the same email address and that email address would also be the user login credentials. I am trying to figure if there is any possible risk in allowing this, such as gaining details of another account, being able to block an account or maybe reset the password.

Anyone have experience or ideas of things I can try?

froberts · August 12, 2019, 1:55pm

Why would you allow a system to create accounts with non-unique email addresses though? Or is it just to see what would happen?

I assume it may override the database with the new details? You may get stuck in a loop of each account owner resetting their passwords?

I can’t ever imagine a scenario where this would happen though. If you have a system that is allowing that, it sounds like poor design in my opinion.

beef · August 12, 2019, 2:14pm

@froberts

I suppose it could be to let users have a personal and business account from the same email or some other reason but I agree, it would be a bad design and that is why I would try and break it.

User id numbers in the database would prevent records from being overridden but I still feel there would be some way of messing things up.

froberts · August 12, 2019, 6:39pm

Okay, I think I may have misunderstood…

I approached this with the angle that the email address is also the same thing the user used to access a system e.g instead of a username.

Another issue here to think about/test though - how are you going to communicate with the user?

Companies shouldn’t be putting all of your account details on one email in case the email got intercepted, for example, but they may give the other user enough information that they themselves can compromise the account.

So I would suggest communication is a big risk here in addition to what I mentioned in my previous reply.

ola.sundin · August 13, 2019, 7:12am

Reminds me of Mission Impossible where there are “3 people with that email address”.

From a technical standpoint there need to be something that is different between account 1 and account 2, and you system that are supposed to authenticate the accounts need to get that unique identifier as part of the process otherwise you will have a severe security whole.

So then it depends on why you would ever want for one credential to be several accounts and here are some scenarios that are familiar.

First where you have one account but in that account you can act as another user. We used it for account managers to be able to “log in” as their clients account. They still only have one set of credentials but in the system they have an option to swap to another user associated with their account.

Another scenario is Blizzards battlenet. Where you have one credential but your display name can be the same as other users. (You have a unique battle tag # to differentiate between two different users and thay use different login credentials too). They also have the option for the same account to play in several regions which in reality will be similar to have multiple accounts as things you do in one region is independent of things you do in another in the specific application (game in this case).