
Zoom allowed a sign-up without verifying their email - aloknnikhil
https://twitter.com/kentonvarda/status/1261386443940868096
======
Wowfunhappy
Just trying to wear my skeptic hat here—how do we know this actually happened?
The user didn't even provide a screenshot—not that a screenshot would
necessarily be meaningful either.

Are there any other reports of this happening?

~~~
kentonv
The user is me. Yes, it happened. In fact, it happens all the damned time.
Lots and lots of web services don't bother verifying e-mail addresses because
they figure they'll lose conversions. I complain on Twitter every time this
happens to me, because it pisses me off -- read the thread for links to some
other examples.

The goal of my complaining is not to pile on Zoom but rather to raise
awareness that e-mail verification is not a thing that you can just skip. It's
important and -- in my humble opinion -- every service should strictly verify
all e-mails before letting users use their account in any way.

I don't know why I'd make this up. Why would I rant about a problem that
didn't actually happen?

I also don't know why this was posted on HN. This is just some guy ranting on
Twitter, not news.

~~~
aloknnikhil
I posted this here solely to raise awareness. Definitely not to shame Zoom.

------
seesawtron
There are tons of companies (apps) that let you do this. It is the tradeoff
between "bothering" your customers with verification process of going to their
emails and clicking another link vs. letting them use your app right away. It
only hurts customers when they sign up using emails that they don't own
(unless they make a typo) so why would the company care for what happens to
their accounts.

~~~
kentonv
Yes, that's the thought process.

Unfortunately, the reality is that people sign up for things with accidentally
or intentionally wrong e-mail addresses all the time. And it doesn't just harm
those people, but also the people who have e-mail addresses that, for whatever
reason, are commonly used in error (that's me). In this case, I cannot use
Zoom under my real e-mail address because someone erroneously claimed that
address and Zoom won't let me disassociate it with that organization.

This is NOT a security vulnerability, it's just an annoying design flaw.

~~~
seesawtron
Since you have access to your own email, can't you access the account of
people who used your email and delete it? Something like the guy in the post
could potentially do since he was able to get the complete access.

~~~
kentonv
I am the guy in the post. :)

I had control of the account, but Zoom wouldn't let me disassociate it with
the organization it was stuck in (some school in Chile). I'm not gotta use my
Zoom account if it's in some random org controlled by people I don't know.

It looks like either Zoom or the school has now removed me from the org,
probably after I e-mailed both of them, though neither has actually replied to
me...

