WakaTime: Lack of Password Confirmation When Changing Email

ID H1:245334
Type hackerone
Reporter pratyushjanghel
Modified 2017-07-03T06:49:30


When any user wants to change the password, current password is asked for proceeding the request. This should also be implemented on changing the email.

Attack Scenerio : When some forget to logout from the account in a publc computer, anyone can change the email to its own and verify it. And after that using the forget password feature, it can change the password too.

Reference From : #546

Best Regards, Pratyush Janghel