Topic: Site Bugs

Hi Sol. Had a device stolen that's logged in here, so I went ahead and changed my password.

Now here's where the fun begins:

Existing devices are not kicked off / logged off when I set my password. The holder of the device can simply change my password to anything he desires. He can also change my email address to his own, then click "lost password" and unreset mine. (I validated the former is possible using my phone).

Recommend: Attempt to change email address goes through an email confirmation cycle
Recommend: Change password expires any active tokens on the user account

Quote Post 1

Re: Site Bugs

Alternatively, choosing a new password should require me to enter my old password

Quote Post 2

Re: Site Bugs

Also, please beware, if I delete this post for no apparent reason

Quote Post 3

Re: Site Bugs

Kdot wrote:

Hi Sol. Had a device stolen that's logged in here, so I went ahead and changed my password.

Now here's where the fun begins:

Existing devices are not kicked off / logged off when I set my password. The holder of the device can simply change my password to anything he desires. He can also change my email address to his own, then click "lost password" and unreset mine. (I validated the former is possible using my phone).

Recommend: Attempt to change email address goes through an email confirmation cycle
Recommend: Change password expires any active tokens on the user account

Good Lord in heaven!  What if they post some bad writing under your name?

Quote Post 4

Re: Site Bugs

Temple Wang wrote:
Kdot wrote:

Hi Sol. Had a device stolen that's logged in here, so I went ahead and changed my password.

Now here's where the fun begins:

Existing devices are not kicked off / logged off when I set my password. The holder of the device can simply change my password to anything he desires. He can also change my email address to his own, then click "lost password" and unreset mine. (I validated the former is possible using my phone).

Recommend: Attempt to change email address goes through an email confirmation cycle
Recommend: Change password expires any active tokens on the user account

Good Lord in heaven!  What if they post some bad writing under your name?

Hmm, or a best seller. Take care. Vern

Quote Post 5

Re: Site Bugs

vern wrote:
Temple Wang wrote:
Kdot wrote:

Hi Sol. Had a device stolen that's logged in here, so I went ahead and changed my password.

Now here's where the fun begins:

Existing devices are not kicked off / logged off when I set my password. The holder of the device can simply change my password to anything he desires. He can also change my email address to his own, then click "lost password" and unreset mine. (I validated the former is possible using my phone).

Recommend: Attempt to change email address goes through an email confirmation cycle
Recommend: Change password expires any active tokens on the user account

Good Lord in heaven!  What if they post some bad writing under your name?

Hmm, or a best seller. Take care. Vern

Damned optimists ... always looking for the silver lining in every disaster.  ;-)

Quote Post 6

Re: Site Bugs

Kdot wrote:

Alternatively, choosing a new password should require me to enter my old password

You mean we don't have that? We definitely should.

Quote Post 7