vwhmkw
Last Updated: February 25, 2016
·
448
· andrewstilliard

Security tip, remember to password confirm email address changes

If your asking the user to enter there existing password before updating it (which you should anyway), and you have a way on the of your site to change a password by emailing a link to you, then make sure you force the user to re-enter their password before they change their email as otherwise someone could just change the email, ask for a new password link, change it that way and then change the email back, therefore completely bypassing your exiting password check.
Too often I see this issue on fairly large sites, and start to question how secure other parts of the site are.