Type in your suggestion - new feature or improvement idea

Ability to customize security aspects of {Registration_buttons} macro (warning message, auto-login behavior) in event announcements emails

Current behavior:
When an event announcement email includes the {Registration_buttons} macro
- buttons has the ability to auto login recipients
- security warning advising against forwarding the email will automatically appear in red at the top

There are some issues with this solution:
- "scary" security warning may reduce attendee engagement
- risks of having autologin link in email might not be clear enough
- there is no customization available (i.e there is no way to switch off autologin functionality and remove message)

Desired behavior:
We need to find proper balance between usability and security here

6 votes
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    I agree to the terms of service
    Signed in as (Sign out)

    We’ll send you updates on this idea

    AdminTeam Events (Event Management, Wild Apricot) shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    3 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)
      Submitting...
      • Anonymous commented  ·   ·  Flag as inappropriate

        Currently, all event announcement emails are sent out with an auto-login feature to enable club members to register for an event without the need to manually log in to their WA site. This is a serious security flaw. If an adversary gets their hands on a user’s mailbox (this happens frequently) then they can log in to WA and impersonate the user. If this user is an administrator of the given WA site then the attacker can literally destroy all data, modify them or steal identity information not only of a single user but ALL members and contacts. The adversary may also steal PayPal tokens and POS information. The current time constraint on such links is insufficient because reminder emails also contain auto-login links and they are sent out in intervals that give an attacker a large window for compromise.

        Auto-login should be optional. Organisations that want to use this feature need to be made aware of the risks.

        In particular, I would like to request to make auto-login links in emails to users with administrator privileges optional because of the greater impact of a compromise of such an account and because these users typically log in regularly anyway and have accepted the need for authentication for all their other actions on WA.

      • klm commented  ·   ·  Flag as inappropriate

        We have a good number of events where registration is not required, and the general public is invited. We like a general head count to gauge interest, so we love the {Registration_buttons} feature.
        Yet, this "scary" warning reduces the chances someone will invite friends to the event. We've received concerned emails from our members who want to share events, but are warned not to.

        Is there a way to include an option to permit forwarding an email to others that doesn't include the automatic login to an account?

      • kbroders commented  ·   ·  Flag as inappropriate

        I think my comment didn't post so I'm going to type it in again. Sorry if I am repeating myself...

        I only need ability to switch warning off/on. I can then put my own message in, wherever I want and in my desired color, font, and size. I do not want a big red warning to be the first thing my recipients see. My choice would probably be black, italicized, and small. I would also have a friendlier message -- with a "please"!

        As far as auto-logging in part of the warning, I would hope that a forwarded message would bring up the event but not actually permit registration (payment) or viewing profile information without a password. (E.g., Amazon.com lets you browse to your heart's content but it always asks for a password to check out.)

      Feedback and Knowledge Base