Imagine you're building a website, and you want your users to confirm their email addresses. So you send them a link:
http://example.com/confirm-email/abc-123
They click the link, and if the token is valid: success! The email address is verified.
But what if your user is a banker, and his email is scanned for viruses? And what if the automatic scanner follows links?
That's right: your user will never get to click the link, because a machine clicked it for them. And the account will automatically get confirmed.
Not only is this annoying and confusing behaviour, but it can also be abused. Imagine an attacker knows that boss@bank.com
exists. They can register an account with that address, and within minutes it'll get confirmed, without them really having access to the email account.
How do you solve the problem?
More importantly, how do you solve it without adding a new step to the process, like "paste the PIN we sent you" or "click here to verify your account"?
One note: automatically doing a POST /confirm-email/abc-123
won't fix the problem for proxies that execute Javascript.
Question: Can you tell if http://example.com/confirm-email/abc-123 was opened in a browser?
Will it be too much trouble for boss@bank.com to click "I'm not a robot" on the confirmation page?