moderated Re: Changing email address security issue #misc


 

Imagine some unsuspecting new member. They join groups.io and they (akin to the scenario in Mark’s original post here) run into some bad-actor group owner, having no idea that ANY group owner, of ANY group theg join, csn actually change their email address, which comprises the basis of their entire groups.io account and is the one piece of data that uniquely identifies them to the system. Of course that means, in the bad actor scenario, that group owner also has their login password.

No, Andy. I am entirely comfortable and confident in using grouos.io. But no, I’m not comfortable or confident with that scenario. 


On Feb 3, 2021, at 3:32 PM, J_Catlady via groups.io <j.olivia.catlady@...> wrote:

Andy,

I never said I’m not “comfortable or confident” using the feature. I don’t know where you get that. I think the feature gives groups inappropriate power over members’ groups.io accounts. 

As Bruce put it: we can’t change members’ profiles, but we can change their login info? 


On Feb 3, 2021, at 2:56 PM, Andy Wedge <andy_wedge@...> wrote:

On Wed, Feb 3, 2021 at 06:35 PM, J_Catlady wrote:
Exactly, what Peter says. it’s risk vs benefit. Huge risk, negligible benefit.
If you're not comfortable or confident in using this function then just stay clear. Nobody is forcing you to use it. Some of us find it useful and use it carefully in support of members. If the account address being changed is subscribed to other groups then a warning message or prompt might be nice but I'd still want the function.

Andy

--
J

Messages are the sole opinion of the author, especially the fishy ones.
My humanity is bound up in yours, for we can only be human together. - Desmond Tutu


--
J

Messages are the sole opinion of the author, especially the fishy ones.
My humanity is bound up in yours, for we can only be human together. - Desmond Tutu

Join main@beta.groups.io to automatically receive all group messages.