I think we should have a docs page where we can explain the potential security issues with Party Acquisition. I think we should leave it up to site builders to decide to what degree of security they should go for.

Bell and Bill = B for Booking Manager
Tim = T for Tickets
Paul = P for Party
Oscar = Grouch, he's mean

Potential problems scenarios

Someone makes a mistake that gives an evil person access to the information they input
Bell creates a booking for Tim, but inputs the incorrect e-mail, She inputs Evil Andrews's e-mail
Evil Oscar creates a booking for himself an gains access to Tim's information from Bell

This happened because Bell input an incorrect e-mail. She has effectively sent Tim's information to Evil Andrew accidently as if she mistyped something whilst using google mail. There are a number of potential ways to solve this:

- Ask Tim for further information - When Bell inputs ticket information the system could ask her for some more personal details that Tim would know. Then when Tim tries to acquire his party it could first ask some questions. Date of Birth may be appropriate or post code depending on the information that would be appropriate for the system to know and how sensitive the information is.
- Party acquisition could require a special code that Bell is told which she can give to Tim in real life. Alternatively this code could be sent via SMS to Tim's mobile number.
- A big issue is whether or not Bell realises that this is an outcome. In an e-mail system she will know that it is very important to input the correct information and same with a banking system. However bell may not realise how important it is to get the correct e-mail and so therefore Party may need to put some effort into make it very clear to Bell what the security implications are. There is a question as to whether sending the information to Tim, let alone Evil Oscar is an "expected outcome"
- We could require Bell to type the e-mail address twice to minimise the chance of this

We decided on the last option due to the client's particular needs and the ease of that situation.

Someone makes a mistake that gives an evil person access to someone else's data
Bill creates a booking ticket for Tim and inputs some information into the party. He puts things in correctly.
Bell creates a booking ticket for Tim but inputs the incorrect e-mail, She inputs Evil Oscar's e-mail
Evil Oscar creates a booking for himself an gains access to Tim's information from both Bill and Bell.

If we only use e-mail to handle the automatic acquisition of a party by a user then for this scenario to happen both Bill and Bell would have to input the same wrong e-mail. This is unlikely. However this is a scenario that needs to be avoided if we use other methods of Party Acquisition.

There may be other analogous situations that we need to watch out for.

This is as a result of Joachim's discussion here: http://drupal.org/node/1736622#comment-6360372

Someone changes their details later and gains access to other people's stuff later
Evil Oscar signs up and creates a Drupal User which creates a party.
Evil Oscar changes his e-mail to Tim's E-mail address
Bell starts a booking and books a ticket for Tim using his e-mail
Evil Oscar obtains Tim's ticket information

http://drupal.org/project/email_confirm -> This should fix it as long as the e-mail only changes AFTER its verified.

Comments

yautja_cetanu’s picture

Issue summary: View changes

Added another issue

joachim’s picture

> Then when Tim tries to acquire his party it could first ask some questions.

That's an interesting idea.

> Alternatively this code could be sent via SMS to Tim's mobile number.

That too.

Party acquisition could be a 2-factor process, where you need a code sent to your email AND a code sent to SMS / given in person. You need to enter both codes to acquire the party.

joachim’s picture

Issue summary: View changes

Added the "expected outcome" stuff

yautja_cetanu’s picture

Issue summary: View changes

Added log for personas

CeperaW’s picture

I can not install this package

joachim’s picture

Can you open a general support request about that please?