Roundup Tracker - Issues

Issue 2551228

classification
Send notification to user if password or emails are changed
Type: security Severity: normal
Components: Versions:
process
Status: new
:
: : rouilj
Priority: normal : Effort-Low, StarterTicket

Created on 2022-08-01 02:10 by rouilj, last changed 2022-08-01 02:10 by rouilj.

Messages
msg7627 Author: [hidden] (rouilj) Date: 2022-08-01 02:10
https://github.com/OWASP/ASVS/blob/master/4.0/en/0x11-V2-Authentication.md#v21-password-
security-requirements requirements numbered 2.2.3 and 2.5.5

recommends that changes to email addresses or password credentials result in
notification to the user. They prefer a push system, but notification
to email address can work.

To implement, a reactor that monitors primary email or password change and emails
user at:

   old and new primary email address about email address changes
   current primary email address for password change

Some text similar to:

  Your <(email|password) has changed on the xyz tracker. If you authorized this
  change you do not need to do anything. If this change is unauthorized,
  please notify the admin at .....

should be sent.
History
Date User Action Args
2022-08-01 02:10:16rouiljcreate