EMAIL SQUATTING #4005
Replies: 2 comments 1 reply
-
|
Only linking the email when it is actually confirmed is planned as part of #3550. Do note that while you can always add an unverified email of another user to your own account, that won't prevent that user from being able to reclaim the account with their email on it: when they are signing up, they are being informed that the account already exists, and password forgotten can be used to reclaim the account. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for the reply. As you describe it, that's a huge risk, isn't it? If someone adds an email that isn't his, that individual can always access the account of the latter and vice versa. |
Beta Was this translation helpful? Give feedback.
-
|
The email is the key to the account. If you add someone else's key to your own account, then you are asking for trouble. |
Beta Was this translation helpful? Give feedback.
-
So, I wanted to know if there's a built-in way to prevent email squatting when adding secondary mails. Sure enough, when you set that the email must be verified for acct creation, no one can use your email to login and leave you without the possibility to sign up with your own mail. However, it's the case that when secondary mails are added, this requirement isn't fulfilled, that is, there is no check that the email must belong to the one initiating the action for it to be added to his account. This, in turn, can lead to email squatting. Of course, one could add the check to send a login code to the email that the user is attempting to link before the linking is done and so forth, but isn't there already a mechanism that deals with this (maybe reclaiming unverified emails etc)? Thanks in advance
Beta Was this translation helpful? Give feedback.
All reactions