Active Profile page prior to Account Confirmation
Problem to solve
Currently we are seeing multiple Spam accounts being created and the accounts aren't "Confirmed". The bad actor has partly achieved their goal by having a public profile page as it contains the relevant info they want to publish. Examples:
- https://gitlab.com/992474871
- https://gitlab.com/991780539
- https://gitlab.com/987770826
- https://gitlab.com/13169015com
Intended users
New Users
Further details
Benefits/Goal of curbing this issue:
- Improve brand reputation as a result of "Cleaner" platform
- Better metrics on (valid) account creation/platform growth
- Reduce Abuse workload by reducing automated spam account creation
Proposal
- Do not make User profile pages public prior to accounts being confirmed by user.
- Account activation include reCatpcha V.3 and email
Documentation
Possibly: https://docs.gitlab.com/ee/security/user_email_confirmation.html https://about.gitlab.com/handbook/support/workflows/services/gitlab_com/confirmation_emails.html
Testing
Possible risk is increased friction on account creation.
What does success look like, and how can we measure that?
Success: Reduction in automated spam accounts being created
Measure:
- Number of accounts being created
- Number of Unconfirmed Accounts created
- Number of Spam Accounts (blocked)
Links / references
Related to: https://gitlab.com/gitlab-com/gl-security/operations/issues/247
/label ~feature
Edited by Charl de Wit