Mojira Archive
WEB-2080

Mojang Change Email SECURITY ISSUE

Hi,there is a security issue that allows to change email address on account with No security questions enabled.

There are 2 endpoints that doesnt verify if account has security questions enabled or not.

1.https://account.mojang.com/changeemail/request
2.https://account.mojang.com/changeemail
Both are Post requets.
When you post it on account with no security quesions u are still able to change account's email sending required payload and authenticityToken.

Fixed

David Rosley

[Mojang] Web Team

2020-04-12, 09:21 PM

2020-04-15, 07:37 AM

2020-04-15, 07:37 AM

0

1