Opened 5 years ago

Last modified 5 years ago

#5129 new defect

Saving new passwords does not require the old one

Reported by: oxplot Owned by: rails-dev@…
Priority: minor Milestone:
Component: website Version:
Keywords: Cc:

Description

When saving a new password under User Account Settings page, the old password is not required.

This is very bad. A malicious party who has stolen a logged in session can take away access from the original user completely by changing his/her password.

Change History (5)

comment:1 Changed 5 years ago by Tom Hughes

Priority: criticalminor

comment:2 Changed 5 years ago by Tom Hughes

They can't actually take away access completely, because the user can still recover access using the password reset facility - the only way to stop that would be to change the email, but you can't do that without access to the original email in order to confirm the change.

comment:3 Changed 5 years ago by oxplot

What if someone lost access to their original email and wanted to change their email to a new one?

comment:4 Changed 5 years ago by Tom Hughes

The only way to do that is to contact support and have us do it by hand if you can convince us it really is your account.

comment:5 Changed 5 years ago by oxplot

OK, then room for improvement. If the old password is required for setting a new one, you:

  • Fix the issue here (it's still an issue because it creates work for the user)
  • Reduce the number of support calls and the headache of figuring out if someone's telling the truth or not.

And users can still forget and reset their passwords like before.

Last edited 5 years ago by oxplot (previous) (diff)
Note: See TracTickets for help on using tickets.