RedRed
Viceroy
tl;dr: a logout should be forced after password change
When you are in doubt if someone has access to your account, support kindly suggest you to change password. This is good in theory but has no real effect if you aren't used to logout, because existing sessions aren't invalidated on password change. I consider it a serious bug / lack of security.
This has several implications:
Steps to reproduce:
I know that it isn't a common scenario, however it is something with heavy implications both on security and privacy.
When you are in doubt if someone has access to your account, support kindly suggest you to change password. This is good in theory but has no real effect if you aren't used to logout, because existing sessions aren't invalidated on password change. I consider it a serious bug / lack of security.
This has several implications:
- Who has gained access to your account it will be able to stay with you for still a long time - and you'll never know, since even the support can't tell you if someone else has logged in your account;
- Who has gained access to your account can change your password, with a new one or even restoring the old compromised password if you have changed it, and you can't notice it (either because the not invalidated existing sessions and because no e-mail notification is sent to you on password change).
Steps to reproduce:
- Log-in in several browser and devices;
- Enter into the game from one device, change the password;
- Any other browser/device in which you were previously logged into is still able to load the game without asking for a new authentication;
I know that it isn't a common scenario, however it is something with heavy implications both on security and privacy.
Last edited: