One Email, Two Logins — Four Account Takeover Paths When Integrating Google Sign-In with Node.js
- time
- 14:45 ~ 15:15
- Speaker
- Gui 桂
- Room
- TR311
- Co-write
Abstract
For any system that supports both "email + password" and "Google Sign-In" (or any other third-party login), the possible states of a user identity get noticeably more complex than with a single login method — and that complexity often leaves exploitable holes behind.
Using a member system (Node.js + Express + TypeScript + MongoDB) as the case study, this talk walks through four classic account takeover paths and the corresponding fixes:
- Blocking Google from silently taking over an account that already has a password
- How a Google-only user can safely add a password later
- Unbinding before account deletion to avoid orphan bindings
- Pre-account hijacking — the attack path that strikes before the account is even created
Hope this serves as a useful reference for anyone currently integrating any kind of third-party login.
Speaker
Gui 桂
大家好!我是 Gui 桂,目前是一名網頁開發者。
從高職就讀資處科開始到後來進入職場,深知這個領域需要不斷追求卓越、終身成長,持續往技能更加全面的開發者邁進。
同時不斷參與社群,參與研討會志工與讀書會,也即將擔任網頁課程老師,希望能將過去所學透過社群分享給更多人。
目前在公司參與前後端開發,後端以 Node.js + MongoDB 為主軸,這次透過 COSCUP 分享過去在開發會員系統時,整合 Google 第三方登入的真實案例與相關考量,希望能對大家有幫助。