Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I tend to agree w/ the FB security team here. Don't list email addresses owned by an adversary in your account. :-/


> Don't list email addresses owned by an adversary in your account.

I mean if you're delegating your email address, your staff aren't adversaries. But they shouldn't be able to, say, drain all your retirement accounts either.

Just because I want people who search for alex.krupp@gmail.com to be able to find my Facebook account doesn't mean I want password reset requests sent there. It wouldn't be at all unreasonable to send them there if that was explained in the UI, but just immediately sending a password reset pin to a non-primary email address without any warning is crazy. At least wait a few days if the user doesn't take any action after it's sent to their primary address.


Even if they changed it so that you could select where to send the password reset, rather than having it go by default to all accounts, that still means anyone with delegate access to the email address could go and request a reset on your behalf.


> that still means anyone with delegate access to the email address could go and request a reset on your behalf.

That's how it should work. You shouldn't have to remember which email address you signed up with in order to request a password reset. But that's fine as long as the pin number only gets sent to an account that's locked down to a degree that's appropriate relative to the assets under protection.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: