cancel
Showing results for 
Search instead for 
Did you mean: 

Avoid automated registrations on Gigya

marc-reverter
Member
0 Kudos

We detected a security issue during the registration. If we do an initRegistration call we can use the regToken returned to perform N calls of registration to Gigya with a script. Until the regToken expires these calls are accepted and the users are created.

Is there any way to block this malicious requests? We can't do nothing in our side because the calls are to the Gigya api. Could Gigya control the requests per second with the same ip/token and block it?

Anyone could help us?

Thanks

View Entire Topic
iandotha
Discoverer

Why do you believe this to be a security issue?
How is reusing the regToken any different than calling initRegistration many times?
In both cases, there are rate limits to registration flows to prevent abuse.

The real use case for the regToken is not one of security, but to help the platform identify registration dropoffs.

If registration fraud is a concern, additional measures such as CAPTCHA should be employed.