Attackers can ban their friends.

[danielkop]

Lets face it, I really hate badperson@badcompany.com. An attacker with knowledge of {REGISTER_ROUTE} can send their email instead of his own, and get them banned.

Not sure "banning" really adds to the security of the system.

[eladg]

Well, before the queue is open, you can't really get the knowledge of the register route and once the queue is open, you can only register them to the queue ;)

[eladg]

@danielkop what do you think? can we close it?

[danielkop]

Can we decide this is unreachable code and remove it all together? On Mar 20, 2016 10:16 PM, "Elad Gariany" notifications@github.com wrote:

@danielkop https://github.com/danielkop what do you think? can we close it?

— You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub https://github.com/Midburn/midburn-queue/issues/21#issuecomment-199009803

[eladg]

It's a valid good point. @omerpines, what do you think?

I will simplify. Since the route of /register is unknown and can be reached only AFTER THE SALES STARTS (i.e. it won't be visible/unreachable on the front-end as well, since only once the queue is open /status will redirect to the page with the route... on latest sale it was 19791108.html). This solution protect users even from the ability to sneak in... should we remove the banned users list? (it probably be empty anyhow).

[omerpines]

Don't understand the problem here. We don't use the ban at all (only tracking it afterwads via the logs) The attacker cannot know the route until we open the queue. What's the issue?

[eladg]

The thing is, since the POST /register route to get into the queue is configured as ENV Variable and will change for every sale, no one can guess it before the sale starts - therefor no one will be added to the ban list (i.e. as @danielkop defined it: Unreachable code).