Quote:
Originally Posted by Rogean
[You must be logged in to view images. Log in or Register.]
The email address for an eqemulator account can be changed without requiring any confirmation; That's the point... The system was designed to be used in situations where a user didn't have access to the email address currently on file, so why would it require confirmation from the old address? That would be silly.
|
I understand, but that's the modification to Vbulletin / EQEmu I'm suggesting. Instead of just sending an e-mail to the new address to change your e-mail, make it send it to the old and new address. This stops any hacking attempt unless the hacker has both access to the EQemu account and email account.
It could pose a problem if a user somehow loses access to their e-mail account, but these days that's pretty rare. Hotmail, Yahoo, Gmail all have tools to recover lost e-mail passwords and they don't delete accounts, ISPs give ample warning before they cut off access to e-mails, etc.. And even in that instance unless you lose access to your e-mail account AND get your EQemu account hacked you should be fine.
I think it's the best compromise unless modifying Vbulletin's password recovery is too much of a hassle.