07-31-2016, 06:17 AM | #1 |
Guru
Posts: 694
Karma: 2383012
Join Date: Aug 2007
Location: Schiedam (The Netherlands)
Device: Lots of eInk devices and iOS stuff
|
Security problem changing email?
Hi all!
Just have changed my email and found a possible security problem (more than security, logic problem) in the way it is done now. When you change your email, you need to enter your password and then the new email address. A confirmation email is sent to that address. Now suppose a bad guy that has got your password (because it is weak, how many of you have 1234 or similar as password?, or got from other leaked service, etc). Then he changes your email to his own email, the confirmation is sent to the new email but not to the old one. The right thing would be send the confirmation link to both emails and only change the password when both emails confirm that. What do you thing about this? |
07-31-2016, 01:03 PM | #2 | |
Well trained by Cats
Posts: 29,800
Karma: 54830978
Join Date: Aug 2009
Location: The Central Coast of California
Device: Kobo Libra2,Kobo Aura2v1, K4NT(Fixed: New Bat.), Galaxy Tab A
|
Quote:
|
|
Advert | |
|
07-31-2016, 01:46 PM | #3 |
Guru
Posts: 694
Karma: 2383012
Join Date: Aug 2007
Location: Schiedam (The Netherlands)
Device: Lots of eInk devices and iOS stuff
|
Yes, that's another option.
In relation to not to check email daily... well, I have some accounts I only check weekly and even monthly, like... er... mmmm... the email I had in Mobileread. |
07-31-2016, 06:31 PM | #4 |
null operator (he/him)
Posts: 20,567
Karma: 26954694
Join Date: Mar 2012
Location: Sydney Australia
Device: none
|
Be aware that the old email server might have been torn down without warning, or seized by the NSA or other such agency, in which case the account is a black hole. I had my 'private' account at such a service, when the NSA seized it, I had no end of grief with banks, local government, public utilities etc etc.
Because I couldn't respond to the change email address confirmation message, sent to what was now an NSA black hole, I had to supply stat decs to banks etc so they would change my email addy manually,. Paypal mail is still a problem for me because of that. BR |
08-01-2016, 02:20 AM | #5 |
eBook Enthusiast
Posts: 85,544
Karma: 93383043
Join Date: Nov 2006
Location: UK
Device: Kindle Oasis 2, iPad Pro 10.5", iPhone 6
|
There are many reasons why one may no longer have access to an old email account. Eg changing jobs, moving ISP, finishing a course as a student, etc. A system which relied on confirmation from the old address would be a real pain!
|
Advert | |
|
08-01-2016, 03:07 AM | #6 |
Guru
Posts: 694
Karma: 2383012
Join Date: Aug 2007
Location: Schiedam (The Netherlands)
Device: Lots of eInk devices and iOS stuff
|
Yes, but in that case user need to type more information to be able to change his email.
I'm only informing about a possible security problem. |
08-03-2016, 05:39 PM | #7 |
Fully Converged
Posts: 18,163
Karma: 14021202
Join Date: Oct 2002
Location: Switzerland
Device: Too many to count here.
|
I agree about the potential security issue. At a minimum a notification to the old email should be sent out.
|
08-04-2016, 10:10 PM | #8 |
Well trained by Cats
Posts: 29,800
Karma: 54830978
Join Date: Aug 2009
Location: The Central Coast of California
Device: Kobo Libra2,Kobo Aura2v1, K4NT(Fixed: New Bat.), Galaxy Tab A
|
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Deleting or changing email address | Klippy | Calibre | 1 | 05-17-2016 08:49 AM |
Problem with Calibre security certificate | GeorgePP | Devices | 11 | 04-03-2016 08:52 PM |
Changing default email message | maxwelledison | Library Management | 3 | 11-21-2013 07:21 AM |
Glo Changing my email address | kiwipippa | Kobo Reader | 6 | 07-09-2013 11:07 PM |
Changing Email Addresses | anamardoll | Amazon Kindle | 4 | 10-10-2012 09:18 AM |