https://bugzilla.wikimedia.org/show_bug.cgi?id=27060
Summary: Users should be asked for their passwords when setting
new email addresses
Product: MediaWiki
Version: 1.16.1
Platform: All
OS/Version: All
Status: NEW
Severity: enhancement
Priority: Normal
Component: User preferences
AssignedTo: wikibugs-l@lists.wikimedia.org
ReportedBy: liang...@gmail.com
CC: agarr...@wikimedia.org
I assume our check for old password in Special:Resetpass is for prevent the
case that I change someone's password when I'm using his computer and he didn't
log out his account.
However our allowance for setting a new email address without typing password
again makes this check useless. Since I can change/set his email address to
mine, and request a new password. In this way I can get his account without
knowing his old password.
--
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
