Jump to content

Recommended Posts

 

Hmm... I was just wondering... why does this site deactivate your account when you change your email address?

 

Every login site i have created keeps the account active, the active stored email only switches to the new email after the user has clicked the secure link in the email they receive. Is this in any way prone to spamming or any security issues?

 

 

Yes. If I gained access to your account (and wanted to keep it for a while) I would change the email address to something I own. Simply sending me a link to confirm the change is only good for making sure that the email works - it does nothing for security.

Not really, it's just a misc question about site security. Is there any benefit with locking/deactivating an account whilst an email is in the process of being changed.

I see it as it prevents unauthorized account changes (so long as the original email has to verify the new email) and helps prevent spamming by not allowing a user to signup with a real email address and then changing it to a dummy one so that they won't get banned off of the real email address when they spam ;)

Yes. If I gained access to your account (and wanted to keep it for a while) I would change the email address to something I own. Simply sending me a link to confirm the change is only good for making sure that the email works - it does nothing for security.

 

If you managed to access my account on phpFreaks.com and proceeded to change the said accounts registered email address from x@site.com to y@othersite.com, I still don't see any benefit from deactivating the phpFreaks.com account until the new link in the y@othersite.com had been clicked. Does that not just prevent anyone else accessing the account untill the new email has been verified (ie proves exists, and that you guy actually owns the email).

And then wouldn't it make more sense to not deactivate the account, on security measures, as if the original user cam back during the email change attempt, they would get logged in but then be warned that their email address was in the course of being changed... 'Click here to stop it if it wasn't you' type thing.

<edit>Actually i just realised it is 6 and 2 3's here. I am guessing that if the account is deactivated it would send a message to do the same thing</edit>

 

 

Not really, it's just a misc question about site security. Is there any benefit with locking/deactivating an account whilst an email is in the process of being changed.

I see it as it prevents unauthorized account changes (so long as the original email has to verify the new email) and helps prevent spamming by not allowing a user to signup with a real email address and then changing it to a dummy one so that they won't get banned off of the real email address when they spam ;)

 

But on here, there is no link to the old email address. Only one to the new email address. I am assuming that this must be because there may be an instance when a user no longer has access to the email address they registered with (a work email or something similar).

 

 

changing it to a dummy one so that they won't get banned off of the real email address when they spam ;)

 

ermm... :) Could you expand a little... I don't follow

But on here, there is no link to the old email address. Only one to the new email address. I am assuming that this must be because there may be an instance when a user no longer has access to the email address they registered with (a work email or something similar).

Hmm, that should probably be looked at. IMO it should be sending to the old email to confirm the new one.

 

ermm... :) Could you expand a little... I don't follow

Sure, so let's say I'm a spammer and want to spam PHP Freaks with lots and lots of spam. Since we require email activation (I think...) on our accounts, I could follow this pattern:

[*]Sign up with foobar@gmail.com - a valid email address

[*]Activate the account

[*]Switch the email address over to a fake one, foo@bar.com

[*]Spam away

[*]Repeat (using a proxy probably

 

Now, since the forums typically don't keep a history of user's account changes made by themselves, we won't have the original email address and they can signup for another account to avoid bans based off of email addresses. However, with adding in the account lock + account change confirmation, it helps thwart spammers from using this tactic.

Now, since the forums typically don't keep a history of user's account changes made by themselves, we won't have the original email address and they can signup for another account to avoid bans based off of email addresses.

I've seen one forum package (IPB I think) track the original email addresses. I wasn't sure why at the time but didn't give it much thought; looking back it makes sense.

 

Ok, but then there is still not really a reason as far as i can make out for the account to be deactivated. This method (which could be the same as phpFreaks) would serve the same function wouldn't it:

 

1 - new account > new entry in members table

2 - change email > place new email in 'newEmailToConfirm' field

                              send user an email to 'newEmailToConfirm', meaning the said user must click the link to prove the account is true

3 - user clicks link in said email from step 2 to confirm to the member site that the email was a real email and is indeed users in question.

4 - confirmed > the site then places 'newEmailToConfirm' into 'email' to replace old email

 

The above method would prevent a user from just creating hundreds of accounts on bogus emails as you suggested but it would not require the users account to be suspended during the change over. The benefit to this would be... if the user entered an incorrect email address, they could easily just log back in and enter the correct one.

 

It is the 'deactivation' which is confusing me... I can't really see a reason for it... I'm sure i'm just being dum however and missing something somewhere...?

 

PS/ with regard to sending an email to the old email to confirm the new email: How would you get around an instance of a user changing an email due to the old email being deactivated by work or school or some other establishment? You would be stuck if you couldn't read the email.

 

Hmm. In fact, with the account deactivation on this site during an email change... if you entered an incorrect email by mistake there is no way back in. You would have to contact the admins i'm assuming, which is a little overkill for a simple typo.

 

ie

I change mine to john@mysite.com but i should have typed in john@mysite.co.uk... stuck. All i can do is send the email back out to the incorrect email i have no access to. If the account wasn't deactivated then i could quickly log back in and correct the email change.

 

 

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.