When a single IP can create unlimited accounts, bans become meaningless — a banned user creates a fresh account and resumes immediately. CWE-799 applies: without account-creation rate limiting, the enforcement system is trivially circumvented. Beyond ban evasion, unrestricted signup enables large-scale coordinated behavior: sock puppet networks, fake review farms, and artificially inflated user counts that distort analytics and business decisions. Platforms without IP-level account limits also bear the database and email delivery cost of every throwaway account created during attacks.
Medium because duplicate account creation directly enables ban evasion and coordinated inauthentic behavior, but requires attacker effort and does not expose existing user data.
Apply IP-based rate limiting to the signup endpoint in src/app/api/auth/signup/route.ts:
import rateLimit from 'express-rate-limit';
export const signupLimiter = rateLimit({
windowMs: 60 * 60 * 1000, // 1 hour
max: 5, // 5 accounts per IP per hour
keyGenerator: (req) => req.ip,
message: 'Too many accounts created from this IP. Try again later.',
});
For higher-assurance requirements, add phone verification (Twilio Verify or similar) as a second factor on signup. This raises the cost of duplicate account creation from zero to per-number SMS pricing.
ID: community-moderation-safety.spam-prevention.duplicate-accounts
Severity: medium
What to look for: Check for protections against creating multiple accounts per user/IP. Look for rate limiting on account creation, IP-based account limits, or phone verification. Check if banned users can easily create new accounts.
Pass criteria: Account creation is rate-limited to no more than 5 accounts per IP per hour, or requires phone verification. Count the number of anti-duplicate-account mechanisms present (rate limiting, phone verification, IP tracking). Banned users face friction to create new accounts (e.g., different IP, payment method). Quote the actual rate-limit configuration values from code.
Fail criteria: No friction. One IP can create unlimited accounts. Banned users can instantly create a new account and resume posting.
Skip (N/A) when: Platform has fewer than 100 active users and minimal spam pressure.
Detail on fail: "No rate limiting on signup. A single IP can create 100+ accounts in seconds."
Remediation: Implement rate limiting on account creation per IP address at src/api/auth/signup/route.ts:
const signupLimiter = rateLimit({
windowMs: 60 * 60 * 1000, // 1 hour
max: 5,
keyGenerator: (req) => req.ip,
message: 'Too many accounts created from this IP.'
});