Provide email notification when a user changes their email address
This report comes from HackerOne but does not require confidentiality. This reporter correctly expects notification to be provided to the old email address when a user changes their email address. This feature could help make a user aware of their account being compromised and is a fairly standard security control.
Title: No email notification/verification when change email
Weakness: Violation of Secure Design Principles
Date: 2017-11-03 19:07:14 +0000
I have found that you notify users when password has changed - this is really good! However I have found out that you do not verify/notify users when email has changed. This is very critical for two reasons:
- When changing an email address there is no password verification
- When an account is compromised the first thing what an attacker wants to do is change the email. Without notification user can't never know that the account is compromised!