Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Outreachy Task Submission] Security Issues With Email And Password Update #4881

Closed
Aquilaafuadajo opened this issue Mar 26, 2024 · 0 comments
Closed

[Outreachy Task Submission] Security Issues With Email And Password Update #4881

Aquilaafuadajo opened this issue Mar 26, 2024 · 0 comments

Comments

@Aquilaafuadajo
Copy link

Description

I have some security concerns concerning the way passwords are being updated at the moment. Ideally what I expected to see was 3 input fields (old password, new password, confirm new password) but I only saw 2 which is new password and confirm new password. There's no way to ensure that it's the legitimate owner of the account initiating the password update.
I have the same concerns too for email update, there's no extra step in verifying the legitimacy of the user initiating this request.
I'm curious if there are any insights behind this implementation.

Proposal

  • Introduce a new field for old password to verify the legitimacy of the user.
  • Once password update is successful, log the user out and prompt them to re-authenticate.
  • For email update I have two suggestions:
    1. email field should be uneditable
    2. Update to email field should require password to be inputed to validate the current user
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Angamanga @Aquilaafuadajo