[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Savannah-help-public] [sr #107268] Verification of account email change

From: Matt McCutchen
Subject: [Savannah-help-public] [sr #107268] Verification of account email changes is ineffective
Date: Sat, 13 Feb 2010 22:44:37 +0000
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2) Gecko/20100210 Fedora/3.6.1-1.matt1.fc12 Namoroka/3.6


                 Summary: Verification of account email changes is
                 Project: Savannah Administration
            Submitted by: hashproduct
            Submitted on: Sat 13 Feb 2010 05:44:37 PM EST
                Category: Savannah website
                Priority: 5 - Normal
                Severity: 6 - Security
                  Status: None
             Assigned to: None
        Originator Email: 
        Operating System: None
             Open/Closed: Open
         Discussion Lock: Any



When I change my account email address via the "My Account Conf" page,
Savannah sends a verification link to the new email address to make me prove
that I control it:

You have requested a change of email address on Savannah.
Please visit the following URL to complete the email change:
-- the Savannah team.

But Savannah sends the same link to my old email address, except for a query
parameter at the end:

Someone, presumably you, has requested a change of email address on
If it wasn't you, maybe someone is trying to steal your account...

Your current address is address@hidden, the supposedly new
is address@hidden

If you did not request that change, please visit the following URL to
the email change and report the problem to us:

-- the Savannah team.

So I can complete the verification without actually controlling the new
address!  Savannah should be changed to use different tokens in the two links.


Reply to this item at:


  Message sent via/by Savannah

reply via email to

[Prev in Thread] Current Thread [Next in Thread]