Provide email notification when a user changes their email address

This report comes from HackerOne but does not require confidentiality. This reporter correctly expects notification to be provided to the old email address when a user changes their email address. This feature could help make a user aware of their account being compromised and is a fairly standard security control.

---

Title: No email notification/verification when change email

Scope: None

Weakness: Violation of Secure Design Principles

Severity: Medium

Link: https://hackerone.com/reports/287169

Date: 2017-11-03 19:07:14 +0000

By: @muon4

Details:

Hello!

I have found that you notify users when password has changed - this is really good! However I have found out that you do not verify/notify users when email has changed. This is very critical for two reasons:

• When changing an email address there is no password verification
• When an account is compromised the first thing what an attacker wants to do is change the email. Without notification user can't never know that the account is compromised!