ilmartyrk
commented
2 years ago Thank you for noticing this. We have discussed this issue. We went from "this is really simple mistake" to actually there was a reason why we initially didn't implement this solution. Anyway this really is a potential issue and we will add password requirement to this API endpoint. But as all users might not have password, users who have registered using (ID-card, Smart-ID or Mobile-ID), we probably have to discuss adding other confirmation methods.
What is the problem? When setting a new password or changing the email address from the "My account" page, the application does not require knowledge of the current user's password, or using another form of authentication. This could potentially be abused by an attacker to change passwords for another user, thus gaining the privileges associated with that user.
Possible solution. It is suggested to require the user to input their current password when they want to update critical information such as the password or email address.