Topic: Site Bugs
Hi Sol. Had a device stolen that's logged in here, so I went ahead and changed my password.
Now here's where the fun begins:
Existing devices are not kicked off / logged off when I set my password. The holder of the device can simply change my password to anything he desires. He can also change my email address to his own, then click "lost password" and unreset mine. (I validated the former is possible using my phone).
Recommend: Attempt to change email address goes through an email confirmation cycle
Recommend: Change password expires any active tokens on the user account