Opened 6 years ago

Closed 14 months ago

#5129 closed defect (duplicate)

Saving new passwords does not require the old one

Reported by: oxplot Owned by: rails-dev@…
Priority: minor Milestone:
Component: website Version:
Keywords: Cc:


When saving a new password under User Account Settings page, the old password is not required.

This is very bad. A malicious party who has stolen a logged in session can take away access from the original user completely by changing his/her password.

Change History (7)

comment:1 Changed 6 years ago by Tom Hughes

Priority: criticalminor

comment:2 Changed 6 years ago by Tom Hughes

They can't actually take away access completely, because the user can still recover access using the password reset facility - the only way to stop that would be to change the email, but you can't do that without access to the original email in order to confirm the change.

comment:3 Changed 6 years ago by oxplot

What if someone lost access to their original email and wanted to change their email to a new one?

comment:4 Changed 6 years ago by Tom Hughes

The only way to do that is to contact support and have us do it by hand if you can convince us it really is your account.

comment:5 Changed 6 years ago by oxplot

OK, then room for improvement. If the old password is required for setting a new one, you:

  • Fix the issue here (it's still an issue because it creates work for the user)
  • Reduce the number of support calls and the headache of figuring out if someone's telling the truth or not.

And users can still forget and reset their passwords like before.

Last edited 6 years ago by oxplot (previous) (diff)

comment:7 Changed 14 months ago by mmd

Resolution: duplicate
Status: newclosed
Note: See TracTickets for help on using tickets.