Manjaro Forum Email Verification

Hi i was wondering how does manjaro forum handles when user changes email.
I see it sends an confirmation mail to the new email address and when you follow that link your email gets updated.
The thing that really confuses me is that this thing works even if I use the confirmation link in another browser or when I clear all local storage and session data and then it automatically logs me into the forum without any local storage or my permission.

How does it know it is really me and not someone hijacking my account?

turn on two factor authentication if concerned by this, you need a smartphone with an authenticator app installed to generate the codes with though.

No reason for confusion.

The email change verification is based on unique id - which is why it works no matter the browser.

Same goes for a password reset request.

You can verify the source as Discourse is open source.

I understand that but what happens here :

  1. I log in to my account
  2. I provide by mistake new email thats not mine
  3. Forum sends the verification token to that email
  4. Someone out there receives the token and is like "what a hell is this?"
  5. He click the link and gets auto logged in to my account and i get the notification that my email is changed
  6. That someone is logged in and is able to change account password and thus hijack the account.

Am I missing something here?

that wouldn't happen as their machine would give a different digital fingerprint to your own. but like I said, enable 2FA to put your mind at ease.

Its not that I worry about someone hacking my account, its just I noticed this mechanics and I'm not sure how it works. Lets forget about 2FA for now since it is optional :wink:

what do you mean by this? what would happen if they follow the confirmation link? will they be asked for password?
I am willing to try this with my own account if you would provide your burner email for this test. Or I can provide my burner email for you to try

I just confirmed it.
If I put that someone has absolute control over my account. He gets automatically logged in and can change the password.
Someone should be notified about this.

The good Lord* punishes small mistakes immediately.

So do not do this. :slight_smile:

1 Like

not really, you still logged in from the same IP address using the same hardware

That's an assumption.
I confirmed it with my friend who lives in another city.

Fair enough, you could send proof to the forum administrator if requested in a private message to look into. Your account page should show any login attempts. 2FA may be optional but it's worth doing to counter any potential profile hijacking. The reason it's not compulsory is twofold. Not everyone has a means of using it and most members here won't put personal information that could lead to account compromises elsewhere so aren't too bothered.

That could happen - but as the email has not changed - yet - you can simply correct the mistake - the email is only changed on verification - and when you add another email - I don't know if my assumption is correct - my hunch is a new unique code is assigned and the previous is invalid.

The only real thing to prevent the described scenario will be to us 2FA.

This would only be an issue if you were not aware you misspelled your new email.

I have tested the scenario and if you immediately change you email to the correct email - another token will be generated and the first rendered invalid.

Hello! When I tried to change my email address of my forum account, I got an error 500. It is possible to fix it?

There is no problem changing email - just verified using my address.

It works now! Thank you!

Good find!

The Manjaro forums use and if you file a bug on how to hack an account here they might even pay you real money for disclosing that (privately) to them.

:+1: :innocent: :+1:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Forum kindly sponsored by