Security issue with signup

Christopher,
That's correct behavior. You can set those values in JFBConnect to be editable, if you want, it's a simple setting. In that case, they are directly exposed to the user to modify before submitting the form so that they can choose their own username, password and email address. That's the administrator's option if they want the user to be able to change those settings during the registration process.

As for the FB user id that is used for the association, that is *not* taken from the form as that would be a security issue if the user could associate their account to any Facebook user. We fetch the FB User ID during the registration process securely from Facebook's cookie that they set for us.

Finally, after the JUser object is bound to the data passed in during registration, we attempt to do a save which will check if the username and email are already taken by another user. If so, the registration will not process and the user will be sent back to the Login/Register page to try again.

Please feel free to test and let us know if you are still unsure about something. We take security very seriously, and have gone over our registration process many times to make sure it's secure. I'm by no means guaranteeing anything, but I don't think this is an issue.

Thanks,
Alex

It's definitely not a security issue, like you mention. I can see where it could be a problem to get around activation. However, the user has already been activated by Facebook, so you know they (likely) aren't a 'bad' user. Additionally, if they edit their profile in Joomla, they have the ability to edit their own email address directly after registration, so that's easily changed at any point anyways.

As to your final question:

If the ability to edit the fields is off, do not use hidden variables to pass them, but store them in the session object so they cannot be tampered-with?

That should be very easy to do for the email field. We wouldn't do it for the password field, as there's no issue with tampering with that field. Let me look into the change that would be required, and also let me know if you still want this, given the above about changing a user's email later on anyways. Shouldn't be difficult, but may take a day or so to come up with the best solution.

Thanks,
Alex

We agree that it's a little beyond what we want to implement. I'll agree that the ability to fiddle with the email address isn't ideal, it's honestly not something we see being abused since it's not obvious and not something that can be repeated unless the 'bad' person has many Facebook accounts.

Either way, glad we could talk you through it, and happy you understand the uniqueness aspect. We really try hard not to add features unless a wide audience would use it. We have enough options already and try hard to decrease even those instead of increase them.. it makes everything easier.

Best of luck,
Alex