Password Change Issue

2 messages, 1 pages:  1 ↖ Retour à la liste des sujets

Score: +4

1. Naday,

Hi there,
I recently helped a friend change her username, and she also asked me to change her password. However, there seems to be a bug in the system that I would like to bring to your attention.
Here's what happened: after I changed her username, it was pending for review by the helpers, as expected. Then, I changed her password successfully. However, my friend left the playroom for a while and when she tried to log in again, she used her old username (which hadn't been validated yet) with the new password I had set for her. Surprisingly (not), she was able to log in successfully at that time.
But the issue came when her username got validated later on. She tried to log in again using her validated username and the new password, but she couldn't log in. It only worked when she used the old password, which should have been invalid by then.
This is concerning because if someone changes their password for security reasons, they would expect their old password to be invalidated. However, in this case, the old password still works even after the username has been validated. It could potentially allow unauthorized access to user accounts if someone else knew the old password. While it's up to users to keep their passwords secure and not share them, this bug contains a potential vulnerability that needs to be looked at.

Score: +0

2. Aminiel,

Hello,

This is something known. When your username is changed, your password is also modified and reflects the password that was in use when the username change request was issued.
So her password change was unfortunately reset to the old one at the moment the username change has been accepted by helpers.

Normally, she can easily again change her password to the new one, by going to account options, or by using the lost password feature if needed.

Score: +2

2 messages, 1 pages:  1 ↖ Retour à la liste des sujets

Répondre au sujet

Vous devez être connecté pour pouvoir poster.

Mot de passe perdu ? Créer un compte