Unverified secondary emails are reserved

GitLab links unverified secondary emails to user accounts. It leads to security issues and allows users to pretend to be owners of some emails that do not belong to them. This should be fixed by #356665 (closed).

This issue is a follow-up.

GitLab reserves unverified secondary emails. So for such emails, it is not possible to

• create a new account
• add it as a secondary email and verify for another user account

It leads to bugs that are currently the Support team resolves manually.

Bug examples:

1. A malicious user could add emails of potential customer (admin|john|etc)@xyz.org as unverified secondary emails to their account. When such customers start using GitLab.com, they will not be able to create an account for their employees.
2. And bug related to the mentioned security issue directly: To accept an invite sent to an email, which is an unverified secondary email, either creating a GitLab account with this email or adding it to an existing account as a secondary verified email is needed. Currently, it is not possible to do so.

Related to discussion #356665 (comment 1000391775)

GitLab should not reserve unverified secondary emails till they are verified.

Workaround

For those with console access, you can find the user tied to the secondary email by using: Email.find_by(email: 'email@example.com')

Solution

• On secondary email verification have a message that says something like if the email is unverified after 3 days, it will be deleted.
• Delete the unverified secondary email after 3 days if it is not verified.