We just pushed out a small change to the AUTH link work flow.
In the past, a user would click the users.dal.net AUTH link and the AUTH
request would immediately be processed.
There's a fatal flaw in this logic though. Some email providers and
antispam/antivirus packages scrape or preview all email links to see if
the links are "safe". If an automated process like this previews the
AUTH link URL, it'll be as if the user clicked the link and authorized
the change. Sometimes the user doesn't want this to happen, like during
the email address change process where clicking the first email link
will abort the email change.
Effective immediately, we now require all user.dal,net AUTH links to be
confirmed in the browser by the user. When they first click the AUTH
link, they'll see a message, "Click below to confirm you would like to
process an AUTH request for the nick BLAHBLAH." The AUTH request will
not be processed until the "Confirm" button is clicked, something that
an automated crawler will not do.
Thanks to sps for bringing this to our attention.
--
Ryan Smith <xpsycho(a)dal.net>
Server Administrator (foxtrot.dal.net) and SRA
The DALnet IRC Network
PGP Fingerprint: 8A27 3349 2B43 D378 6349 8674 F13A D7BA C90E D44E
