Email address change

Testing email address change.

• What is the suggested best practice for changing a user’s email address?
• Google email change verification message

Testing

• Injection vulnerabilities
• Try to use an already existing email (from other user). When successful, try to reset the password and take over the account.
• Try to change another user’s email address to yours. When successful, try to reset the password and take over the account.
• Check if the email address change is vulnerable to CSRF. Create a PoC and take over the account.
• Try Mass Assignment / Auto-binding. Try to change your personal information but add extra parameters to the request such as “role” or “isAdmin”.

Recommendation

Option 1:

• Request the current password for sensitive features like changing the email address (username)

Option 2:

• Send an email to the new email address: The email should ask to verify the change by clicking the provided link. If the user didn’t initiate the change, he/she can simply disregard the email.
• Send an email to the previous email address: this email is a security measure to protect the account in case someone is trying to take it over.