Last Updated: February 25, 2016
·
508
· Andrew Stilliard

Security tip, remember to password confirm email address changes

If your asking the user to enter there existing password before updating it (which you should anyway), and you have a way on the of your site to change a password by emailing a link to you, then make sure you force the user to re-enter their password before they change their email as otherwise someone could just change the email, ask for a new password link, change it that way and then change the email back, therefore completely bypassing your exiting password check.
Too often I see this issue on fairly large sites, and start to question how secure other parts of the site are.