moderated Re: Changing email address security issue #misc


Mark Murphy
 

I reported this issue to Mark privately because I consider it a serious security issue. I believe the potential security implications far outweigh any convenience this feature may provide even to a well-intentioned owner or moderator who wishes to help a member who no longer has access to an email address or who wishes to change their email address.

Maybe I'm missing something about the "need" for this feature. If a member wants/needs to change their email address, why can't the member just re-subscribe to their groups with the new email address? Are there common and valid use cases for owners or mod needing to change the email on behalf of the member, other than "convenience" for the member?

The problem here is that the ability for a user to change their email address is often implemented through an authentication mechanism other than email, such as providing a username and password. Since these are not required in GIO for email only members, there is no alternative authentication mechanism available.

Thank you,

Mark

Join main@beta.groups.io to automatically receive all group messages.