|
|
|
|
|
|
by tsimionescu
1484 days ago
|
|
|
Most sites go through something like Sign Up > enter email and password > account is created, inactive > send email verification. If you then log in with SSO using the same email, the existing inactive account, with its password, is merged into the new account, which doesn't require email verification anyway. Furthermore, people logging in with SSO don't usually check or even know about the password, they only use SSO. With this flow, an attacker knowing your email gets to choose your password, if they can guess a site that you want to SSO login to, but haven't yet. |
|
|