This was originally posted in Group_Help. Bruce Bowman suggested I also post the issue here. It feels like a #bug to me, but given discussion, apparently is not seen as a bug by others.
From original post:
I forwarded an email message from a Groups.io group, which contains a number of links at the bottom. Upon inspection, it appears that anyone can anonymously click the "unsubscribe" link, and modify my message preferences, or even unsubscribe me from the group (even if I'm owner!) The links are a great feature, but allowing me to be removed from a group by innocently forwarding a message seems pretty bad to me.
From follow-up post:
Certainly they [the links] can be deleted [before forwarding], but not many users will know to remove them when forwarding the email. I'm sure few if any will even know of the hazard of innocently forwarding the message. At least, when you're unsubscribed, you get an email offering to undo the action. And if you undo, the link can't be (ab)used to unsubscribe you again. You can also be switched to digest mode, without such a notification. Basically, someone could change your settings, and you as user get no indication that it occurred.
I get this resistance when you're trying to opt-out of some marketing mailing list. This is very different; you had to opt into the group; if you truly want to leave, it doesn't seem like a high bar to require some kind of authentication prior to leaving. Leaving this as a link that anyone can anonymously follow and modify my settings is pretty unsettling.
At least, if you click unsubscribe, fine, maybe you shouldn't be forced to authenticate with credentials, but surely it would not be unreasonable to require confirmation by email before the action is committed? And surely, all changes that can be anonymously performed with said link should unequivocally send a notification?
If someone does accidentally send the link out (oops, forgot to remove links when forwarding), there's no way to disable it, except to actually unsubscribe and resubscribe to the group. Without doing so, if link gets out, it appears to remain active for anyone to exercise at a later time. It I click "cancel and stay", how about it cancels the link so it cannot be reused?
Since this is a #suggestion, I would suggest:
If you have an account with credentials, if you try to unsubscribe, you should either: receive an email with a link to confirm, or be required to authenticate with said credentials to perform the task.