{"id":8621,"date":"2017-01-08T08:40:51","date_gmt":"2017-01-08T13:40:51","guid":{"rendered":"https:\/\/www.ezrasf.com\/wplog\/?p=8621"},"modified":"2017-01-09T08:43:12","modified_gmt":"2017-01-09T13:43:12","slug":"email-changes","status":"publish","type":"post","link":"https:\/\/www.ezrasf.com\/wplog\/2017\/01\/08\/email-changes\/","title":{"rendered":"Email Changes"},"content":{"rendered":"<p>Ran across a site where if one changes the email address associated with the account, it sends the confirmation email to the new address.<\/p>\n<p>Say, I am a Blackhat and used a phishing attack to get the password for\u00c2\u00a0the account. Having legitimately logged in, I then change the email address associated with it from victim@outlook.com to my blackhatalias@gmail.com. Sending the confirmation to blackhatalias rather than the victim ensures a compromised account will get altered. Strong security would want to prevent the change unless the owner of victim@outlook.com confirms the change.<\/p>\n<p>Though, it does look like an email was sent to\u00c2\u00a0victim@outlook.com almost 3 hours after the confirmation saying:<\/p>\n<blockquote>\n<div id=\"yui_3_16_0_ym19_1_1483564628161_50191\" class=\"body undoreset\" tabindex=\"0\">\n<div id=\"yui_3_16_0_ym19_1_1483564628161_50190\" class=\"email-wrapped\">\n<p>Hi user,<\/p>\n<p>This notice confirms that your email was changed on site\u00c2\u00a0Forums.<\/p>\n<p>If you did not change your email, please contact the Site Administrator at<br \/>\nforum-password-resets@site.org.<\/p>\n<\/div>\n<\/div>\n<\/blockquote>\n<p>Still scary. The blackhat has probably already made off with the data and done the damage.<\/p>\n<p>I get the temptation to allow users to change their email address to a new one. It will prevent support phone calls because if they no longer have control of the old email account, users can simply change it to another address they do.<\/p>\n<p>Of course, the site in question also does not have Two Factor Authentication. But, then it also is just a support forum. So, the ramifications of losing the account is impersonation at worst. They could ask or answer a question as me or change the profile to say something demeaning.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Ran across a site where if one changes the email address associated with the account, it sends the confirmation email to the new address. Say, I am a Blackhat and used a phishing attack to get the password for\u00c2\u00a0the account. Having legitimately logged in, I then change the email address associated with it from victim@outlook.com [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":true,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"activitypub_content_warning":"","activitypub_content_visibility":"","activitypub_max_image_attachments":4,"activitypub_interaction_policy_quote":"anyone","activitypub_status":"","footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[1198,269],"tags":[3247,660,1123,116,3018],"class_list":["post-8621","post","type-post","status-publish","format-standard","hentry","category-cybersecurity","category-usability-accessibility","tag-black-hat","tag-email-address","tag-phishing","tag-security","tag-two-factor-authentication"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p1rUBW-2f3","jetpack-related-posts":[],"jetpack_likes_enabled":true,"_links":{"self":[{"href":"https:\/\/www.ezrasf.com\/wplog\/wp-json\/wp\/v2\/posts\/8621","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ezrasf.com\/wplog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ezrasf.com\/wplog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ezrasf.com\/wplog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ezrasf.com\/wplog\/wp-json\/wp\/v2\/comments?post=8621"}],"version-history":[{"count":0,"href":"https:\/\/www.ezrasf.com\/wplog\/wp-json\/wp\/v2\/posts\/8621\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.ezrasf.com\/wplog\/wp-json\/wp\/v2\/media?parent=8621"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ezrasf.com\/wplog\/wp-json\/wp\/v2\/categories?post=8621"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ezrasf.com\/wplog\/wp-json\/wp\/v2\/tags?post=8621"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}