Security problem changing email?

rfog · 07-31-2016, 06:17 AM

Hi all!

Just have changed my email and found a possible security problem (more than security, logic problem) in the way it is done now.

When you change your email, you need to enter your password and then the new email address. A confirmation email is sent to that address.

Now suppose a bad guy that has got your password (because it is weak, how many of you have 1234 or similar as password?, or got from other leaked service, etc). Then he changes your email to his own email, the confirmation is sent to the new email but not to the old one.

The right thing would be send the confirmation link to both emails and only change the password when both emails confirm that.

What do you thing about this?

theducks · 07-31-2016, 01:03 PM

Quote:

Originally Posted by rfog

Hi all!

Just have changed my email and found a possible security problem (more than security, logic problem) in the way it is done now.

When you change your email, you need to enter your password and then the new email address. A confirmation email is sent to that address.

Now suppose a bad guy that has got your password (because it is weak, how many of you have 1234 or similar as password?, or got from other leaked service, etc). Then he changes your email to his own email, the confirmation is sent to the new email but not to the old one.

The right thing would be send the confirmation link to both emails and only change the password when both emails confirm that.

What do you thing about this?

The other common way is to Notify the Old email as a courtesy and provide an "abort this change", not authorized. No reply = 'All is well'

The link should be good for a period of days (not everyone checks mail daily

)

rfog · 07-31-2016, 01:46 PM

Yes, that's another option.

In relation to not to check email daily... well, I have some accounts I only check weekly and even monthly, like... er... mmmm... the email I had in Mobileread.

BetterRed · 07-31-2016, 06:31 PM

Be aware that the old email server might have been torn down without warning, or seized by the NSA or other such agency, in which case the account is a black hole. I had my 'private' account at such a service, when the NSA seized it, I had no end of grief with banks, local government, public utilities etc etc.

Because I couldn't respond to the change email address confirmation message, sent to what was now an NSA black hole, I had to supply stat decs to banks etc so they would change my email addy manually,. Paypal mail is still a problem for me because of that.

BR

HarryT · 08-01-2016, 02:20 AM

There are many reasons why one may no longer have access to an old email account. Eg changing jobs, moving ISP, finishing a course as a student, etc. A system which relied on confirmation from the old address would be a real pain!

rfog · 08-01-2016, 03:07 AM

Yes, but in that case user need to type more information to be able to change his email.

I'm only informing about a possible security problem.

Alexander Turcic · 08-03-2016, 05:39 PM

I agree about the potential security issue. At a minimum a notification to the old email should be sent out.

theducks · 08-04-2016, 10:10 PM

Quote:

Originally Posted by Alexander Turcic

I agree about the potential security issue. At a minimum a notification to the old email should be sent out.

Some of my accounts also can TEXT a simple notice. That takes care of the now dead ISP issue

07-31-2016, 06:17 AM	#1
rfog Guru Posts: 694 Karma: 2383012 Join Date: Aug 2007 Location: Schiedam (The Netherlands) Device: Lots of eInk devices and iOS stuff	Security problem changing email? Hi all! Just have changed my email and found a possible security problem (more than security, logic problem) in the way it is done now. When you change your email, you need to enter your password and then the new email address. A confirmation email is sent to that address. Now suppose a bad guy that has got your password (because it is weak, how many of you have 1234 or similar as password?, or got from other leaked service, etc). Then he changes your email to his own email, the confirmation is sent to the new email but not to the old one. The right thing would be send the confirmation link to both emails and only change the password when both emails confirm that. What do you thing about this?

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Deleting or changing email address	Klippy	Calibre	1	05-17-2016 08:49 AM
Problem with Calibre security certificate	GeorgePP	Devices	11	04-03-2016 08:52 PM
Changing default email message	maxwelledison	Library Management	3	11-21-2013 07:21 AM
Glo Changing my email address	kiwipippa	Kobo Reader	6	07-09-2013 11:07 PM
Changing Email Addresses	anamardoll	Amazon Kindle	4	10-10-2012 09:18 AM

07-31-2016, 01:46 PM	#3
rfog Guru Posts: 694 Karma: 2383012 Join Date: Aug 2007 Location: Schiedam (The Netherlands) Device: Lots of eInk devices and iOS stuff	Yes, that's another option. In relation to not to check email daily... well, I have some accounts I only check weekly and even monthly, like... er... mmmm... the email I had in Mobileread.

07-31-2016, 06:31 PM	#4
BetterRed null operator (he/him) Posts: 20,567 Karma: 26954694 Join Date: Mar 2012 Location: Sydney Australia Device: none	Be aware that the old email server might have been torn down without warning, or seized by the NSA or other such agency, in which case the account is a black hole. I had my 'private' account at such a service, when the NSA seized it, I had no end of grief with banks, local government, public utilities etc etc. Because I couldn't respond to the change email address confirmation message, sent to what was now an NSA black hole, I had to supply stat decs to banks etc so they would change my email addy manually,. Paypal mail is still a problem for me because of that. BR

08-01-2016, 02:20 AM	#5
HarryT eBook Enthusiast Posts: 85,544 Karma: 93383043 Join Date: Nov 2006 Location: UK Device: Kindle Oasis 2, iPad Pro 10.5", iPhone 6	There are many reasons why one may no longer have access to an old email account. Eg changing jobs, moving ISP, finishing a course as a student, etc. A system which relied on confirmation from the old address would be a real pain!

08-01-2016, 03:07 AM	#6
rfog Guru Posts: 694 Karma: 2383012 Join Date: Aug 2007 Location: Schiedam (The Netherlands) Device: Lots of eInk devices and iOS stuff	Yes, but in that case user need to type more information to be able to change his email. I'm only informing about a possible security problem.

08-03-2016, 05:39 PM	#7
Alexander Turcic Fully Converged Posts: 18,163 Karma: 14021202 Join Date: Oct 2002 Location: Switzerland Device: Too many to count here.	I agree about the potential security issue. At a minimum a notification to the old email should be sent out.

Advert

Advert