Skip to main content

Is this a security problem? Change of details only needs email address

So I'm setting up a signin form and I've noticed that if the user puts in an email address that is already in the database with conflicting name, address, phone, etc the database is updated with this new information. This even impacts users who have setup a password but no password is ever asked confirm authorization to go ahead with the changes.

More puzzling is that the changes don't appear in the activity stream of the page so the administrator wouldn't see that it's happening.

So all I would need to do mischief on the database is a bunch of email addresses which, in the case of this site (and probably lots of other), are publicly available.

Am I doing something wrong here or is this a known issue?

Notplanned

Official response from

We are aware of this and are taking concerns into consideration, but do not currently have plans to change this behavior.

At this time, if you are concerned about forms changing personal information, you can make forms only available to members, requiring someone to log in before submitting any form. You can also customize public forms to remove fields with information you do not wish to update in your nation without authorization and leave changes to a member-only page.

Share this post

Showing 10 reactions

How would you tag this suggestion?
Please check your e-mail for a link to activate your account.