Changing mail adress -- only new adress gets mail?

kill0rz

kill0rz last edited by

Hi @ all!

I just noticed that when you change your mail in Opera Link, the verification mail is sent to the new address.
This is a huge security issue. Imagine someone is stealing your password, changing this and your mail address you even won't get any information about it. Furthermore, you cannot get your account back. Whilst, the guy is stealing everything you synchronize into the cloud, especially passwords!

It would be very nice if the verification mail is sent to old mail, not the new.

Looking forward to a reply!
Thanks!

leocg

leocg Moderator Volunteer last edited by

The message is to verify the email address, so it makes sense that it's sent to the new one.

Remember that to change your email you need to login first.

kill0rz

kill0rz last edited by

Hi,

thanks for the reply.

It does make sense to send the mail to the new one, but problem is still the same.
If someone stole your password (e.g. MITM, Phishing, hack or something similar) and changes your mail address, you are not notified about and you do not have any chance to get your account back (password changed, email changed, social logins deactivated).

Meanwhile, all data from opera Link is forked to another computer out of your control.

It would be nice if the old mail at least gets a notification about the change. At least that...

leocg

leocg Moderator Volunteer last edited by

It would be nice if the old mail at least gets a notification about the change.

Ok, i can agree with that. However there will always be issues:

• Not everyone uses a valid (in terms of being active) so many of the users won't receive the notification message
• Depending on how and how fast things happen, your data may have already gone by the time you got the notification
• Depending on how the account was created, it would be difficult to confirm info and prove that you are the real owner

kill0rz

kill0rz last edited by

Depending on how and how fast things happen, your data may have already gone by the time you got the notification

Totally agree with that, but still better than having nothing

Not everyone uses a valid (in terms of being active) so many of the users won't receive the notification message

It only would be a real security improvement if tho old mail gets the verification. If someone used a trash mail to register this service (which is btw pretty stupid, 'cause you save important data here) then this is just bad luck for him/her. An early announcement can be helpful at this point.