[OpenStreetMap] #5129: Saving new passwords does not require the old one
OpenStreetMap
trac at noreply.openstreetmap.org
Tue Feb 25 07:31:20 UTC 2014
#5129: Saving new passwords does not require the old one
----------------------+-------------------------
Reporter: oxplot | Owner: rails-dev@…
Type: defect | Status: new
Priority: critical | Milestone:
Component: website | Version:
Keywords: |
----------------------+-------------------------
When saving a new password under
[[https://www.openstreetmap.org/user/username/account|User Account
Settings]] page, the old password is '''not''' required.
This is very bad. A malicious party who has stolen a logged in session can
take away access from the original user completely by changing his/her
password.
--
Ticket URL: <https://trac.openstreetmap.org/ticket/5129>
OpenStreetMap <http://www.openstreetmap.org/>
OpenStreetMap is a free editable map of the whole world
More information about the rails-dev
mailing list