Change email confirmation does not work as intended

[earnestinence]

Greetings,

I have enabled 'RequireChangeConfirm' in application.php

However, it doesn't not send confirmation email to the old Email address in order to approve the changes, instead it sends to the new email.

I'm not sure if it supposed to send the confirmation email to the new one, but it shouldn't do this.

Let's imagine this scenario: Let's say someone knows my account credentials, they login to my account in the Control Panel, and deiced to steal my account by changing the email address. They can easily do that by simply filling and submitting the form in /?module=account&action=changemail

My idea is: Before changing email address, a confirmation link is sent to the old/current email address to review and approve the changes, if the account holder decided to decline the changes, then it cancels the operation and deny the changes, and vice versa

[diljol]

Yeah, I think it should ask for approval before making such critical changes 👍

[Everade]

The problem with that is that many kids lose access to their old mail over time. Emails can be re-assigned to new owners upon inactivity or deletion, that's a real thing. So you would prevent these people from regaining access.

I would recommend the following best practise method:

• Mail change is only accessable to logged in users.
• Ask only for new mail + current password for verification.
• Send confirmation to new e-mail.
• Optional: Send notification to old email which includes either just a notice,
  or also includes a link that either reverses the mail change + pw,
  or bans the account + creates support ticket.

Please note that in order to change a mail:
In this scenario a thief would need to know the login credentials. So the account has already been compromised in the first place. And the additional mail to the old mail account could help to prevent further damage in case of unwanted mail changes.