1

My app allows users to invite people they know by email. If the invitee is not already registered, we send an email asking the invitee to register.

I'd like to be able to send unique signup links that contain an email GET param and use this GET param on the app side to populate the email field of the registration form.

Will I introduce any additional security vulnerability by doing so?

An example...

Email URL: https://www.domain.com/signup?email=me@email.com

The app will then use params[:email] to retrieve the email from the URL and set that as the registration form's email field.

Jonathan Mui
  • 2,471
  • 3
  • 19
  • 27

2 Answers2

0

You'll be leaking a bit of data potentially. If you did sequential numbers, and I got number 999, I'd know to try numbers 999 and below and I'd be able to get email addresses.

Here are some ideas on how to generate random, unique params: PHP: How to generate a random, unique, alphanumeric string?

You'll need to feed in the email address instead of an ID though.

Community
  • 1
  • 1
Noah Clark
  • 8,101
  • 14
  • 74
  • 116
  • What data is being leaked? I don't understand why sequential numbers are involved in this question. – Jonathan Mui Jan 31 '13 at 21:18
  • This would introduce nothing more than accepting any other type of get Param from a user. Depending on how you handle that it can be very dangerous. – Noah Clark Feb 01 '13 at 17:13
0

No; as long as you treat that string as untrusted data and handle it appropriately, this doesn't introduce any vulnerabilities.

Michael
  • 955
  • 4
  • 12