Facebook signup grants admin accounts when emails match

I signed up on my site with my facebook account that uses the same email address as my main admin account. Ultimate facebook then associated the facebook account to the admin account I assume because it has the same email address (I was logged out with cookies deleted).

This seems to me like a bit of a security risk as if you set an admins email in your facebook then you can jump straight into the sites admin.

Is there a way to make all facebook registrations new accounts and not merge them with existing admin accounts?

  • Michelle Shull
    • DEV MAN’s Apprentice

    Hi again, Mike!

    WordPress won't create a duplicate account, and the email address is one of the mandatory elements for WP account creation, so a new account can't be created with an existing email account.

    I'm not sure this is possible, but I'm happy to add this to our features and feedback group.

    Thanks for your question!

  • Mike
    • The Bug Hunter

    The problem isn't that I want two accounts with the same email, the problem is I don't want people hijacking admin accounts using this as a backdoor.

    Can I make I stop it merging accounts? It seems kind of crazy that a new registration automatically gets superadmin just because it gives the same email address without having to also confirm the password.

  • Michelle Shull
    • DEV MAN’s Apprentice

    Hi, Mike!

    If you disable Facebook Connect, which lets or forces your users register accounts with Facebook, depending on your settings, Facebook and WordPress accounts will remain separate.

    In terms of the security risk, you've already created your Facebook app with your Facebook account, so it makes sense that you were recognized as the site admin when the accounts connected. If you go to the Permissions and Tokens tab on the Ultimate Facebook settings, you can assign a different Facebook account to your settings. Here's the dev on that: https://premium.wpmudev.org/forums/topic/setting-ultimate-facebook-up-for-a-client#post-348718

    Thanks!

  • Mike
    • The Bug Hunter

    It looked to me this happened with any facebook email. Are you saying only the email that created the app will do this? It looks to me like any facebook account will get merged into any matching wordpress account without any password verification, just email matching.

  • Michelle Shull
    • DEV MAN’s Apprentice

    Hi Mike!

    I'm going to confirm this with the dev, just to be sure. I'll send him a message and report back with what I find out. I'm nearly 100% sure it's because the app was created with that same email account, but I understand wanting to feel as safe as you can.

    Thanks for your question!

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.