Quote:
Originally Posted by naekko
[You must be logged in to view images. Log in or Register.]
Sorry, I'm a little slow Rogan! How do they change the e-mail address on the EQEmu account if you require them to click a link on the current e-mail address to change it.
Hacker gains access to EQemu account, tries to request a password for login server -> e-mail sent to current e-mail account (which he doesn't have access to).
Hacker tries to change e-mail address of current EQemu account -> e-mail sent to current e-mail account to confirm
In all of this he needs the current e-mail account to do anything right? I know you were worried about vulnerabilities in Vbulletin when you designed the EQEmu system, but I think forum + e-mail is as far as you should have to take it. In the end it's the users responsibility and if they use the same password for everything and get hacked or downloaded a trojan or a million other things you shouldn't have to plan around it.
If someone had their EQEmu account hacked months ago and the hacker already changed the e-mail address (using the old system) then I can't really think of anyway to verify the original owner or protect them. Tough cookies I guess, but there has to be a cut off point somewhere right?
|
The email address for an eqemulator account can be changed without requiring any confirmation; That's the point... The system was designed to be used in situations where a user didn't have access to the email address currently on file, so why would it require confirmation from the old address? That would be silly.