Tip Of The Day: Make Your Email Column Unique

November 14, 2012

Skype screwed up and it got revealed today. Due to a series of stupid things, there is (was) a trivial way to hijack anyone’s account. One of the stupid things is that they allowed a 2nd user to register with an email that is already registered. I have seen this many times, with forums, groupon-like sites (there I debugged their system over the phone), and whatnot – too many systems lack a unique constraint on their email column.

Even though the problems are not always that big as with Skype, you should always have a unique constraint on the email column in the users table. Because that’s what the logic says – one user – one email. If you allow a 2nd user with the same email, then “forgotten password” works for which account? What about emails about promotions – duplicate emails will be sent. Any many more issues coming from not paying attention to this simple thing.

Have in mind that the unique constraint is best imposed at a database level. If you have it just in your code, some future code or change might not obey it.

So, tip of the day – make your email column unique.

5 Responses to “Tip Of The Day: Make Your Email Column Unique”

  1. That most certainly was not the issue. The issue is that they were trying to be clever and were associating new accounts created from a particular screen (invalid login screen with a “create new account” link) with existing accounts so that a user could keep track of all of their accounts.

    You’ll note during the exploit that the attacker never uses the target email other than to generate an invalid login to reach this create account link which will associate the target account with the new account.

    This wouldn’t be so bad if

    a. there was a way to disassociate the two (from either end)
    b. account settings (such as login information) was isolated between the accounts

  2. You’d agree that an unique constraint would have rendered the “hack” invalid. Of course, not displaying the confirmation within the application that requested it would also work, but ultimately, no more than one account per email is the rule that keeps you safe from a whole slew of wrong scenarios.

  3. [...] cool side-effect of using the email as unique identifier (make the database column unique) is that if you add Persona later to your site, users can login with it even though they have [...]

  4. It’s genuinely very complex in this busy life to listen news on
    Television, therefore I just use web for that reason, and take the hottest information.

  5. Thankjs for every other fantrastic post. The place else may just anyone get that
    typle of information in such a perfect approach of writing?

    I hazve a presentation next week, aand I’m on thee look for such info.

Leave a Reply