12Ağu
Why do major sites (eBay, Github) not ask for a password when I attempt to change email addresses?
When users change their email addresses within a web application's user account, I see the following problem:
An attacker (who has access to your session) could change your email address to a new one (the attacker's one), logout and request a "forgot my password" reset. From that point, he owns the account.
To my surprise, even major sites (from eBay to Github) allow to change the email adress without asking for passwords etc... In my understanding, this makes account takeovers via internet cafe/university/shared computers extremely easy. And I think that the guys behind eBay and Github (for example) know what they do.
Why do those sites allow email change requests without asking for a password ?
