[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Savannah-help-public] [sr #107268] Verification of account email change
From: |
Matt McCutchen |
Subject: |
[Savannah-help-public] [sr #107268] Verification of account email changes is ineffective |
Date: |
Sat, 13 Feb 2010 22:44:37 +0000 |
User-agent: |
Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2) Gecko/20100210 Fedora/3.6.1-1.matt1.fc12 Namoroka/3.6 |
URL:
<http://savannah.gnu.org/support/?107268>
Summary: Verification of account email changes is
ineffective
Project: Savannah Administration
Submitted by: hashproduct
Submitted on: Sat 13 Feb 2010 05:44:37 PM EST
Category: Savannah website
Priority: 5 - Normal
Severity: 6 - Security
Status: None
Assigned to: None
Originator Email:
Operating System: None
Open/Closed: Open
Discussion Lock: Any
_______________________________________________________
Details:
When I change my account email address via the "My Account Conf" page,
Savannah sends a verification link to the new email address to make me prove
that I control it:
You have requested a change of email address on Savannah.
Please visit the following URL to complete the email change:
https://savannah.gnu.org/my/admin/change.php?item=email&confirm_hash=0cdb6814142967ec&step=confirm
-- the Savannah team.
But Savannah sends the same link to my old email address, except for a query
parameter at the end:
Someone, presumably you, has requested a change of email address on
Savannah.
If it wasn't you, maybe someone is trying to steal your account...
Your current address is address@hidden, the supposedly new
address
is address@hidden
If you did not request that change, please visit the following URL to
discard
the email change and report the problem to us:
https://savannah.gnu.org/my/admin/change.php?item=email&confirm_hash=0cdb6814142967ec&step=discard
-- the Savannah team.
So I can complete the verification without actually controlling the new
address! Savannah should be changed to use different tokens in the two links.
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/support/?107268>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
- [Savannah-help-public] [sr #107268] Verification of account email changes is ineffective,
Matt McCutchen <=