When changing password or email address, require to type old password #2932
Labels
c: Security
For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Task
Indicates an issue is neither a feature nor a bug and it's purely a "technical" change.
Milestone
If you leave Piwik open and logged in, anyone accessing the computer could change the email address or the password. Changing email address would allow to "reset" the password.
Therefore, as an extra security measure, we should require the old password to change the password or the email address.
When changing other settings inputting the password wouldn't be necessary.
The text was updated successfully, but these errors were encountered: