Inflection: No password confirmation on changing primary email address

2017-10-13T03:13:40
ID H1:276816
Type hackerone
Reporter sec_ninja1
Modified 2017-10-18T16:57:27

Description

Users may change the primary email address associated with their account without being required to confirm their password again. The security researcher reporting this proposed that we add a password confirmation field when performing an email change.

After considering the issue, we don't intend to implement the suggestion at this time. This issue falls more into the "best practices" bucket than it does the vulnerability bucket, since this behavior in and of itself does not allow a user's account to be compromised.