Closed kalobkalob closed 8 years ago
Those settings buttons should be for your account even if on a different resume.
It gave me access to the other account. I was testing this between two accounts. bsbenson@gmail.com and kalobkalob@yahoo.com. With bsbenson the name saved is Ben Benson, with kalobkalob the name listed is Bob Knob. When I changed the Ben Benson's email to kalobkalob@yahoo.com it showed the Bob Knob's setting page.
I found out what's happening, using the link does not terminate any existing session which allows you to try and change the email address, this fails because the username already exists BUT somehow ends up login you in with the other user's account.
On the other hand the only way to actually execute this attack is:
If you already have access to the other user's email account there's not much that we can do on that.
I'll fix the "being able to change your email to an existing email" though, that should not be possible.
Perhaps in the future we should offer to combine/merge the accounts rather than completely blocking it. That ability doesn't currently exist, right?
You mean merging accounts when, for example, a user registers with LTI and then registers another account with /register? No, that's not possible right now.
A feedback request is a security flaw for a person's account. It provides access to a resume's setting page to anyone who's been sent a feedback request email.
The simplest thing at this point to correct this would be to remove extra buttons.