SECURITY: API PUT /users/self - verify e-mail on update - read the description please #54
Closed
1 task done
Labels
critical
App down / data leak / core functionality not usable.
Projects
Overview
When User updates e-mail in the profile, it does not get verified.
PANIC!? I don't think so, but definitely not nice.
What vector does it open up?
4.1 Logs in with FB/Google that has the e-mail in the profile, User A sees whatever malicious user B has done in the account. If A changes the password, B is lock out and cannot access it any more.
4.2 Tries to create an account with e-mail/password and gets an error "e-mail already in use". He is confused and goes for the "Forgot password flow" after which A verifies the ownership of e-mail and gets the account locking malicious user B out.
Credits
Related code:
TODO
The text was updated successfully, but these errors were encountered: