moderated Re: Changing email address security issue #misc



Yes, coffee time for me. Realized immediately after.

However, the whole thing still feels wrong to me. One issue is that it’s asymmetrical. New member joins a lone group, asks mod to change their email address, mod says sure, no problem. Time goes by and they join another group, decide to change their email address again, and this time mod says sorry can’t do that, you’re now in more than one group. User scratches head in confusion.

Or, mod sees the “change email” panel in the member page for only a subset of their members, wonders why it’s gone (or grayed out) in the others. At minimum this will require a lot of education of mods.

I feel there are other scenarios that we can’t imagine yet.

On Feb 3, 2021, at 11:54 PM, Shal Farley <> wrote:


Nothing until they start joining other groups.
Coffee time (for you or for me*)?.

If the member joins another group before the baddie acts, then the mitigation prevents the nefarious act.

If the baddie acts first it is the baddie's own address joining those other groups. The baddie could have done that w/o stealing a subscription to his/her own group.

Looked at another way, if the victim has no other subscriptions, then the baddie's address change ploy is no different than removing the victim from baddie's group and subscribing the baddie's alternate address to that group.

There may be one slight thing to gain. It allows the baddie to be seen as the poster of the victim's content in baddie's group. But then again the baddie could remove and repost the victim's content, so it is a really meager advantage.

*Actually, nearly bed time for me. So water, not coffee.


Messages are the sole opinion of the author, especially the fishy ones.
My humanity is bound up in yours, for we can only be human together. - Desmond Tutu

Join to automatically receive all group messages.