17

There was a bug in "Change email" module. When the functionality is called, it sends 2 emails:
1. to a current email w/ a link to 'reject email change'
2. to a new email w/ a link to 'confirm email change'

The flaw was in how these links worked (the clockwork behind them). If one link is clicked, another one is NOT deactivated in the bkend :)

Now the task for you is to figure out why this is wrong :)

Comments
  • 15
    So if you rejected it, the attacker could still confirm it.
  • 4
    And you never fixed it?
  • 3
    @electrineer nope.. it was "low priority" :) And then I got pulled out from that project as well
  • 0
    @Alice Yes. And vice versa (when the user is trying to recover his email setting)
  • 1
    @netikras This system is weird in the first place. Most people would change their email address in their accounts because they don't have access to it anymore or don't own the domain it was a part of anymore. Such a system opens more security issues than usual in the first place.
  • 1
    @Alice I agree with you :) All the devs in that project except one (the one who's calling all the shots) would agree with you ;)
Your Job Suck?
Get a Better Job
Add Comment