Dbl Opt-in security breach

  • Resolved cantoute

    (@cantoute)


    4 years ago

    Hi,

    I manage web servers using your plugin and have double opt-in activated.
    So it should not be possible for subscribers to get status confirmed if they never got the confirmation mail?
    But…
    Several times I’ve seen the confirmation email on hold in the mail server (postfix) queue because no mail server available for the subscriber domain (those are obviously bots or bugus emails used) and I find the account for that email activated.
    I don’t know how they did it (and don’t have the time to investigate further)

    I doubt it was via brute force because we use rate limiting on the nginx setup and we also use wordfence.
    I suspect there is a trick they use where they can get the confirm status at registration time or that they can get hold of the confirmation key somehow.

    Hope this can help you improve your newsletter plugin.

Viewing 1 replies (of 1 total)
Viewing 1 replies (of 1 total)
  • The topic ‘Dbl Opt-in security breach’ is closed to new replies.