The 1000+ members in my group had never heard of Groups.io until we switched to using it. There is one member that I know of who has membership to another group but that's it. So the other 999+ are

Excellent idea! However, the owner's name appears in "underlying link blue" which makes it very difficult to read. Chris .

Shal, Yes, coffee time for me. Realized immediately after. However, the whole thing still feels wrong to me. One issue is that it’s asymmetrical. New member joins a lone group, asks mod to change

Dano, I have no evidence, but I think it may be your experience that is the exception. ¯\_(ツ)_/¯ In any case, a modification could be that the member may not have subscriptions to any groups

Shal notes: Shal - I think being able to help members with only a single group is a pretty rare situation. I own two premium groups, focused on a particular railroad's history and operations, that are

J, Coffee time (for you or for me*)?. If the member joins another group before the baddie acts, then the mitigation prevents the nefarious act. If the baddie acts first it is the baddie's own

Nothing until they start joining other groups. -- J Messages are the sole opinion of the author, especially the fishy ones. My humanity is bound up in yours, for we can only be human together. -

When I said that an unscrupulous owner who changes a member's email address to one of their own "also has their password," I meant that they essentially have it by virtue of being immediately able to

Christos, The catch-22 is that in the baddie scenario the baddie controls the new mailbox. So allowing the baddie to confirm their own misdeed adds no security. On the other hand, in the use-case

'No way ever' is true until it is proven not to be. https://grahamcluley.com/poor-password-security-mensa/ I was one of two people mentioned there who had their personal details exposed in their

Pete, As others have discussed, I think the primary use case for the feature is assistance to group members who are having trouble maintaining their subscription. That's why I suggested limiting it

I agree. Palpably inadequate! https://www.youtube.com/watch?v=9E1bOYLuxUw -- J Messages are the sole opinion of the author, especially the fishy ones. My humanity is bound up in yours, for we can

>>> Instead of continuing to support a major security breach, groups.io could simply streamline and clarify the process for users who want to change their email addresses. It is

It may be that the problem lies in the wording on the Change Email page. Once you click on it, you're told "are you sure you want to change your email address - you must reconfirm your account" but

I'm with the others, just the pure technical concept itself of being able to freely and easily change someone else's email address is inherently risky; so from that perspective, even if I see value in

I think removing it is getting more “votes“ here than keeping it. -- J Messages are the sole opinion of the author, especially the fishy ones. My humanity is bound up in yours, for we can only

My opinion: someone not part of the groups.io support team should not be able to change a member's email address, even if that member is only a member of that one group, and even if it's a premium

Yes, it is...and will remain so, as long as the "email me a link" sign-in function exists in tandem with the "change someone else's email address." Honestly, I've been aware of this as a potential

Yes. And isn't the basis of the whole take-over-someone's-group scenario that Mark originally posted about based on exactly that? Or I'm missing something here. -- J Messages are the sole opinion

Good point! So only premium group owners can hack people's accounts. ;) -- J Messages are the sole opinion of the author, especially the fishy ones. My humanity is bound up in yours, for we can