views:

70

answers:

4

I'm developing a web app and currently I'm trying to decide whether or not to let my users to change their email.

If an account gets compromised the attacker only needs to change email and then reset password to gain complete control of the user account. However with no ability to change email address, the user can regain control and simply reset password to stop further rogue access to their account.

What do you think?

A: 

Send a confirmation email to the original email address requiring some confirmation action before making the change.

Gratzy
The primary reason for changing email address is that the old address is now defunct
PaulG
Require alternate email etc. Many sites send confirmation emails to confirm account changes.
Gratzy
A: 

Only let authenticated (logged in) users change their email address. If the account is compromised then they already have complete control over it. Changing email address in this case should be the least of your worries! :)

PaulG
Without a confirmation email to the original the user won't be alerted to an issue.
Gratzy
How does this even address the question? I think its safe to assume he is already requiring the user to be authenticated to make changes.
Gratzy
That was entirely my point. If an attacker already has your username and password, why does he need to change email address to reset the password?
PaulG
Because the system will reset the password to the original user's email address.
Maybe I'm not understanding. The password is the email address?
PaulG
I'm pretty lost too now
Gratzy
There are many scenarios possible where the attacker does have access to a logged in account but *does not* have the password.
Jacco
-1, There is a big difference between an account owned for once (session hijacked via an XSS) or an account owned permanently.
dr. evil
A: 

Retain the old e-mail address for a while, and allow it to be used to reset the password.

Dave Hinton
+2  A: 

It is my opinion that user should be able to change all details associated with their person, including their e-mail address.

Minimum security measure should be: Ask the user to enter their password!:

E-mail changes should be handled with the same care as password changes:

Asking for their password would prevent somebody from changing the e-mail address for an already logged-in user; after changing the e-mail address, it is usually trivially easy to get a valid password for the account, effectively taking over the account completely.

E-mail confirmation scheme:
Added security measures can come in various ways, usually consisting of some sore of e-mail confirmation.
The difficulty with e-mail confirmation is that a common reason for users to change their current e-mail address is because they can no longer access it (changed jobs, changed providers, etc, etc).

A common scheme of e-mail change confirmation is the following:

  1. Send an e-mail to the new address with an "confirm e-mail change" link (make sure it is a working e-mail address).
  2. Uppon receiving the confirmation from the new address
    • Change the e-mail address.
    • Send an e-mail to the old e-mail address with the option to "Revoke e-mail change" link (this option should be valid for 30 days or so).

Extended security with e-mail confirmation:
For some high-risk accounts, you could only allow 'limited access' to the account for as long as the 'revocation period' is still active (the above mentioned 30 days or so).

In addition to the "Revoke e-mail change" link, you can provide a "Confirm e-mail change" link in the e-mail send to the old address. Clicking the link would make the change of address permanent, ending the revocation- and 'limited access' period immediately.

UPDATE
There seems to be some confusion about what is compromised if somebody is 'Logged in'.
There are quite some options for a fraudulent person to gain access to a logged-in account without knowing the password.

Consider for example the option where somebody simply walks away from the keyboard, or, has chosen to use some sort of 'remember me' functionality (either provided by the browser or by the website itself)

While this is bad, a well designed system would/should limit the damage by not allowing any account-damaging actions to happen without asking for the user's password again.

The prime example for this is:
Ask the user for his/her current password if they want to change it.

Jacco
In the end aren't you still relying on sending an email to the old address to give the user the opportunity to rollback the change?
Gratzy
The second option described is a 'rollback the changes' options, yes.
Jacco