moderated Re: Changing email address security issue #misc


Robert Oshel
 

How about allowing a moderator to change someone's email address only for that group, and the change does not go into effect until after the person is notified by email to the old address that the moderator is attempting to change his or her email address for the group and the person clicks an "I approve" option in the mail?  I have some technologically challenged members who have asked me to change their address.

  Bob

On Wed, Feb 3, 2021 at 11:55 AM Mark Fletcher <markf@corp.groups.io> wrote:

Hi All,

Premium group owners have the ability to change the email addresses of their members. The email address is changed on the member's Groups.io account, so affects all their subscriptions. As was pointed out to me privately, this presents a security issue. If a member is an owner of another group, this feature provides the ability for a nefarious group owner to take over that other group, by changing the email address of the member to a new email address controlled by the baddie.

I have changed the feature so that you cannot change the email address of a member who is a moderator or owner of a group.

Should I make other changes? Should the change only affect that one subscription? That is, if someone is subscribed to 2 groups, and the moderator of one of those groups changes that person's email address, should I then create a new Groups.io account, splitting off that one subscription?

Thanks,
Mark

Join main@beta.groups.io to automatically receive all group messages.