Saving new passwords does not require the old one #5129
Comments
|
Author: TomH They can't actually take away access completely, because the user can still recover access using the password reset facility - the only way to stop that would be to change the email, but you can't do that without access to the original email in order to confirm the change. |
|
Author: oxplot What if someone lost access to their original email and wanted to change their email to a new one? |
|
Author: TomH The only way to do that is to contact support and have us do it by hand if you can convince us it really is your account. |
|
Author: oxplot OK, then room for improvement. If the old password is required for setting a new one, you:
And users can still forget and reset their passwords like before. |
|
Author: mmd Discussion continues here: openstreetmap/openstreetmap-website#2144 |
Reporter: oxplot
[Submitted to the original trac issue database at 1.04am, Monday, 24th February 2014]
When saving a new password under [[https://www.openstreetmap.org/user/username/account|User Account Settings]] page, the old password is not required.
This is very bad. A malicious party who has stolen a logged in session can take away access from the original user completely by changing his/her password.
The text was updated successfully, but these errors were encountered: