Naive answer: You already do. You can't get to the change option if you're not logged in.i know that. what i was talking about was CSRF.
Cynical Answer: If someone else can get the ability to change your email, it's already compromised.Do you know what CSRF is? I can setup a html form on a different website that has a masked button or even a javascript-submit. it will change your email address if you visit this page (and click the harmless looking button if you don't have javascript enabled).
My opinion: More trouble than it's worth in terms of real security enhancement.well, if you knew CSRF you wouldn't say that.
with CSRF i have been able to automatically send myself a message everytime a monk visited my homenode (i tested this just to see if it worked). so if you visited my homenode i would have gotten e message by you. i could have also send out faked message to others. this is the same technique. and changing email and password is the most vulnerable kind of security hole. if you can do that you immediately can take over an account.
update: i tested it. everybody who wants to test it send me a message. be sure to open and save a form to change your user data before. otherwise your old user information will be all gone.
In reply to Re^2: Password required for email change
by tinita
in thread Password required for email change
by tinita
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |