You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Jul 24, 2021. It is now read-only.
Reporter: oxplot [Submitted to the original trac issue database at 1.04am, Monday, 24th February 2014]
When saving a new password under [[https://www.openstreetmap.org/user/username/account|User Account Settings]] page, the old password is not required.
This is very bad. A malicious party who has stolen a logged in session can take away access from the original user completely by changing his/her password.
The text was updated successfully, but these errors were encountered:
Author: TomH [Added to the original trac issue at 9.02am, Tuesday, 25th February 2014]
They can't actually take away access completely, because the user can still recover access using the password reset facility - the only way to stop that would be to change the email, but you can't do that without access to the original email in order to confirm the change.
Reporter: oxplot
[Submitted to the original trac issue database at 1.04am, Monday, 24th February 2014]
When saving a new password under [[https://www.openstreetmap.org/user/username/account|User Account Settings]] page, the old password is not required.
This is very bad. A malicious party who has stolen a logged in session can take away access from the original user completely by changing his/her password.
The text was updated successfully, but these errors were encountered: