I haven’t yet found information regarding protections for account sharing, and it seems like the authentication links can be used multiple times on different devices and the cookies are set to expire 6 months later.
I’m wondering what would stop someone from taking this magic link and sharing it with a lot of people? Is there code in Ghost that detects this, or a tool that can be added on that tracks this?
It would seem like there should be a configurable limit on the number of persistent cookies that are kept active as a basic way of defeating more widespread account sharing. Alternatively, each device could have a unique cookie, each requiring a new email to set it, or at least a limit to how many times a magic link can be used. Maybe some of this exists?
Perhaps there’s a good answer to this question? I’m a newby and don’t know.
However, it is an important question, even if it’s addressed in Ghost. That’s because if there’s an answer on the forum or in the support pages, it’s well enough hidden that a simple or extended search didn’t find it for people like me - that newby.
So, I’ve hearted and suggest others do too, even if you know the answer and don’t have time to reply.
Note, as I write this 17 have viewed and not offered support. I know what that means: rhetorical.
Magic links are “single-use” (technically they allow 3 uses to account for many email providers these days automatically visiting links in emails for spam/virus/advertising checks). They are only valid for 24 hours before first use, and 10 minutes after first use. So, pretty difficult to create wide-spread account sharing via the login links themselves.
This aspect of this type of link functionality is not mentioned in the main Ghost Security help page where it might sit well, both to help finding the answer more easily and as an advert for how brilliant Ghost is!
Of note is a more commonplace and closely related point that is in fact addressed on that Security Page, but not very well. Thanks to @Cathy_Sarisky who has commented on the vulnerability recently (not the Security page).
I just tested what you indicated and the 4th attempted use did result in a failure. I will also do a test of the 10 minute rule but I of course expect what you said is true. I do believe both of these things in combination will help reduce sharing, especially more widely. It probably wouldn’t do much to keep two people from using one account though.
Is there a limit to the total number of active cookies that a single user can have active? Setting a limit (configurable is better) would prevent one account from creating hundreds of users (if there was demand and organization to do so). A limit would also probably reduce the account sharing between two people when multiple devices are used. If this doesn’t exist, I wonder if there is a way to query the database and perform these operations out of band to limit the active cookies for one account.
It would be nice to see it somewhere. I do try to search before asking questions in forums like this and wasn’t able to find anything, and I did check the security help page which seems like a good place to put it. Having a consistant name that encompases this functionality would also be useful. Abuse detection maybe? Account sharing security? Dunno. Might well have a name of course, though some names are obscure and therefore hard to search.