moderated Re: Changing email address security issue #misc


Robert Oshel
 

Wouldn't having the system send an email sent to the original address (the one being changed) requiring a confirmation that the change to the new address is legitimate before the change goes into effect solve the problem?   The would-be hijacking moderator or owner wouldn't have any control over the original address, so he or she couldn't send a confirmation that the change is legitimate and the change wouldn't take effect.

   Bob


On Wed, Feb 3, 2021 at 8:01 PM Bruce Bowman <bruce.bowman@...> wrote:
On Wed, Feb 3, 2021 at 07:29 PM, J_Catlady wrote:
If they have your email address (assuming it’s really one of their own) they can request a login link and set one up. Right?
Correct.

Currently, a Premium group Owner can change any group member's address, log out, and subsequently request a login link to that address. That being so, anyone with $20 in their pocket and a few extra email addresses can set up a Premium group for a month and shanghai the accounts of everyone who joins it.

Restricting the vulnerability to such malfeasance to those who are neither Moderators nor Owners seems quite inadequate.

Regards,
Bruce

Join main@beta.groups.io to automatically receive all group messages.