I tried to log in with my usual password, which didn't work. After trying a few times, a message came up saying I could reset my password by clicking a link in my email, with the OPTION of answering my secret question. This means that anyone could potentially put their own email there and click the link to hack into my account. Having to answer the secret question correctly should be required, not an option. I can't believe this was missed.
But it asks, either Username or Email, so if their email wasnt associated with the account, it wont send them your link....
to expand a little on Trekkie's comment...
Yes, it asks for an email address. However, if the email address does not match the one on the account, nothing will be sent.
I am very disappointed that you would report this with such strong langauge without actually testing it.
Try it:
set up an account with one email address.
fail the 3 login attempts
enter a DIFFERENT email address in the box...
...
the different email address will not recieve any account information.
sheesh... do you really think that something that basic would have been missed in 20 or so public releases of this software?
Alright, my bad. Sorry. :P
I don't see any "strong language" in my topic though. lol
hmmmm.... you think the text "HUGE security flaw" (with the huge in all caps) is not strong language
On the internet today where people are so obsessed with secuirty that they complain when a script asks them to make a file chmod 777, words like that raise a red flag and worry people who just skim titles...
Well, I editted your title because it is hardly a "HUGE" security flaw. And like has already been mentioned most people just skim through posts they don't often read them.
I'm just a confused customer asking a question. You guys need to relax and take it professionally.
No... you were a confused customer making (incorrect) asumptions on secuirty without even understanding or properly testing before reporting a "HUGE security flaw" (that is not huge, nor is it a security flaw at all...)
Lainaus käyttäjältä: Kindred - kesäkuu 15, 2006, 03:15:22 IP
No... you were a confused customer making (incorrect) asumptions on secuirty without even understanding or properly testing before reporting a "HUGE security flaw" (that is not huge, nor is it a security flaw at all...)
(Maybe he's just a newbie who didn't know the ramifications that some ignorant security obsessed people skim read title's?)
*Cough* kman generally in this day and age security is a big thing on the internet, hence reporting a flaw without proper testing is generally frowned upon :)