Can any account with verified email address be used to merge with an account with unverified email address?

Say, if using OpenID Selector which is Stock Overflow's log in system, or JanRain, which actually allows using Facebook or Twitter to log in as well as OpenID, then, some email address are not verified.

On the original website, if an email addresses is not verified, maybe we can merge two accounts (treat them as one user) if OpenID or JanRain logs in a user with an email address that is verified, and our current user accounts also has a user with that email address (but unverified) -- the real user can take control of the account now.

But, what if a hacker register a celebrity's email address, and then just wait months until the celebrity uses OpenID or Facebook with the verified email address to "merge" the two accounts.

(The website can announce the accounts are merged, but the celebrity may not remember whether he or she previously has sign up in that website. so he or she may not feel security breach). So, the security risk is. Now whatever the celebrity does -- saving items to a list, etc, the hacker can now silently monitor what is being done.

S开发者_开发问答o is it true that if any account has an unverified email address, no other account should merge with it. Only if both accounts have that same verified email address, then those accounts can be treated as one single account.

Is this true, or can the rule be more flexible than this?

I seriously think it is a bad idea not to verify the email account of a user.

I understand that it simplifies the flow, but it could be easily used to say blacklist your mail server. Imagine when you send out mass emails to your members, and a lot of them are bogus, you may be reported by these bogus emails as spam.

Having a verified email system, by sending them a email with a link requiring them to click on it to complete the registration is a better system.