The "confirm additional email address" message sent to the new address shows
the password of the requesting user in plain text, when it should not, since
the receiver of such a message may have gotten it due to user error (typo,
anyone?) but will nonetheless be granted full access to to the requesting
user's account, simply by virtue of _actively_being_told_ his login data, and
all his list memberships.
Jeff: This needs some discussion.
Original issue reported on code.google.com by lhori...@gmail.com on 4 Jun 2009 at 11:22
Original issue reported on code.google.com by
lhori...@gmail.comon 4 Jun 2009 at 11:22