“Magic links” can end up in Bing search results — rendering them useless.

  1. Unique token is generated and then emailed to the user as a link that they can click to verify that email, and auto log them in
  2. Token is expired (which I forgot to actually do)

But how was Bing was logging into user accounts?

A little more server logging and digging pointed to the email tokens. All of these Bingbot sessions started at the “verify email” URL, with the unique token appended. There was no referrer.

Bing has been indexing my email verification links.

Bingbot was then automatically visiting these links, and automatically logging into the new user accounts.

The fix

As a quick fix, I’ve deployed the missing token expiry feature (all tokens now expire after usage, and are only valid for 1 hour)

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store