Issue 2550716
Created on 2011-08-05 10:00 by luke, last changed 2011-08-11 10:54 by ber.
|
| msg4358 (view) |
Author: [hidden] (luke) |
Date: 2011-08-05 10:00 |
|
Roundup allows you to request a password reset request
(/user?@template=forgotten). After stating an username Roundup confirms
this request with "Email sent to EMAILADRESS". This allows to tap addresses.
My rfe would be to change this to "Email send to USER@..." (by omitting
the domain) or simply "Email with password request has been sent."
|
| msg4367 (view) |
Author: [hidden] (ber) |
Date: 2011-08-11 10:54 |
|
Hi Luke,
thanks for the feedback.
Can you explain to me a bit more, how that "taping" of emails
is raising the risk? I mean, if you at all can tap the emails of the
roundup-server, you'd probably would just tap all of them. And often
you might already have an idea about the corresponding email domain of
some users.
|
|
| Date |
User |
Action |
Args |
| 2011-08-11 10:54:34 | ber | set | nosy:
+ ber
messages:
+ msg4367 |
| 2011-08-05 10:00:33 | luke | create | |
|