Account Log-In





Forgot your password? Just click here

For your safety you will be logged in using Secure HTTPS (SSL) connection.

Forgot your password?



Feedback and Feature Requests

Share your Nozbe ideas, post your impressions, tell us how you use Nozbe to get things done. Help us make Nozbe better for you.

Please log in to your Nozbe account to post on the Nozbe forum.


« back to "Feedback and Feature Requests" Home
:-)

Large security flaw

Daniel S   Sunday, September 26
Comments: 5

Hi guys

I just wanted to change my password and discovered a large security flaw.

If you want to change a password, you do not need to provide your old password. So, say a user forgets to log out, then someone else can just change the password without knowing the old one.

Hope this gets fixed soon – this flaw should be obvious now a days.

Besides that -thanks for a great service.

Cheers

Comments:

:-)
Delfina 27 Sep 10 08:56

Hello Daniel,

I will pass it to Michael and rest of the team. I believe it was originally omitted for the simple reason that if someone is logged into your account and wants to change the password… they need to know the password to get into it in the first place. So logically if you ask them for the old one… it won’t stop them cause they already know it… otherwise how would they get inside. Nonetheless we’ll look at this.

:-)
Daniel S 28 Sep 10 13:20

Hi Delfina

Thanks for your quick reply. This is actually quite simple as I see it.

I leave my computer on my work, in a cafe or wherever for a few minutes. I am still signed into Nozbe.

Now someone can just take over my account and change the password – without logging in.

This should be a basic issue – take a look at 90%+ of other websites and how they handle password changes.

Cheers

:-)
Delfina 30 Sep 10 10:15

Daniel,

I’m not sure how you would leave your computer like this… I always log out before walking away (have had way too many bed experiences with leaving my stuff unattended like this) . However I did have posted this issue to Michael and tech. I will also bring it up on our next team meeting.

:-)
Michael 6 Oct 10 09:34

Hi Daniel, While it’s not a large security flaw, we might want to re-visit it in the future. The good thing is that you can’t change your email without the old one, so even if unlikely someone changes your password, you can still regain it back with your email using our “forget your password” form. We’ll revisit this concept and see if we change it to make it more secure, but the most important thing is that having the same email address helps you maintain control over your Nozbe account and no one can take it from you. Thanks for looking into this!

:-)
Daniel S 8 Oct 10 22:32

Michael and Delfina, thanks for your comments. Appreciate that you take our comments seriously and keep up the good work!

Please log in to your Nozbe account to post on the Nozbe forum.

Nozbe

Having an issue specific to your account? Contact us