I've always found the common approach that websites take to changing the email associated with an account iffy but I am not sure if I am wrong
I have changed my email more than once, just as part of customizing my online identity and all that. and that obviously required me to login into any accounts I had and updating the email...
I have changed my email more than once, just as part of customizing my online identity and all that.
and that obviously required me to login into any accounts I had and updating the email associated with them.
the most common workflow I have found is
login -> navigate to settings page -> edit the email field to the new email -> go to the inbox for the new email -> click confirm on confirmation email
then you can go to that website and do the forgot password
, provide your email and change the password and get complete control.
I have always found that workflow weird cause it's the most prevalent one I have come across and seems so susceptible to tampering.
if someone leaves their laptop unattended for 3-4 minutes in public while visiting a bathroom (which happened often in the library of my university), there was nothing preventing me from going to their Facebook or whatever account they had open on their computer, changing the email to my own email and then clicking confirm on my inbox once I am back at my desk.
and most people don't have 2FA so that would effectively give me control of their account.
Hell, my university once had a potential data breach and they were 99.999% sure the data was not actually accessed by a malicious actor but still sent a mass email saying that they were advising everyone to change their passwords. a classmate of mine in the software systems program's attitude was basically "oh well, who cares?" and I just facepalmed internally.
there are maybe 3 websites I have come across that instead first send a confirmation email to your current inbox and after you confirm on that, then you get a confirmation email on the new email inbox. which isn't perfect but I feel like it's a bit more sensical and the best you can do without involving 2FA.
even then, that's also susceptible to the situation I described above if the user is always logged into their email.
I find it odd that websites don't prompt for a password as part of the email update process (or better yet 2FA with an app as even prompting for a password isn't a guarantee if the user has the password manager as an extension in their browser and they recently unlocked it before leaving their session unattended) to ensure that email changes are always done by the account owner.