Severe Account Security Issue
Alex Watson
Since I don't have an active sub, I'm posting this here in the hopes that someone at DevDept sees it.
Issue: It seems that assigning a license to a developer who doesn't have an account sends a password recovery email for the main account, rather than the newly created developer account. This allows the developer to not only change the password of the main account, but also gives them full access to the account.
Expected Result: The email the new developer receives to activate their account should link to the password recovery page for their account, not the main account.
Reproduction Steps:
- Log in to the main account
- Assign an unassigned license to a new developer, wait for "successfully assigned" message popup.
- Wait for developer to receive license assignment email
- Once received, confirm which account the password recovery page is for.
Additional Information:
- We use company emails for our developer accounts, so we know for sure that the user account didn't exist prior to the assignment.
- The license being assigned does not have an active support subscription.
- The license in question is for Ultimate WPF.
- Manually sending a password recovery email via the "Forgot Password" page for the developer account sends an email linked to the correct account, and allows the developer to log in to their own account successfully.
0
Comments
Thank a lot Alex, we will check and fix this.
Hello Alex,
We fixed this; please keep an eye on it the next time you assign a license to a developer.
Please sign in to leave a comment.