Alright, with the recent string of account thefts, I decided I should post an issue I’ve been aware of for a few years now.
If someone gets into your account, one of the first things they do is change the email address.
So ROBLOX then sends the old email a “Did you do this email”. They also send the new email a verification email.
Now how often do you check your email? Are you feeling lucky? Because at that point you have to beat the attacker to ROBLOX’s “Did you do this”, before they get to the verification email.
Because once they verify, that “Did you do this” email link no longer works.
I think the rest is self explanatory, but in case it’s not:
Oh, so that’s what causes it to be invalidated. I thought it was they changed it to another email after they changed it the first time and used the email reset on the first email they changed it to, invalidating all revertemail emails.
Yeah, neither of those should happen. Those email links should always work for 24-72 hours no matter what they change your email to. I also recommend people connect their account to their primary email (or at least one that they check regularly) so that important emails don’t go unnoticed on some random email. An email notifier also works really well if you don’t like / have trouble remembering to check it manually.
If you think of the normal user case, not the hacked account case, shouldn’t the user be able to verify their new email address right away? The majority of email changes are legit. We don’t want to add friction to a user doing normal account activities.
2 Step is fine and verifications happening immediately is fine, but emailrevert emails shouldn’t be invalidated just because another email is verified. And regarding normal users, you have to keep in mind that not everyone is going to want to use 2 step because it’s kind of annoying to have to prove you’re you, and they still need to be able to get their account back if someone gets into it. Being able to revert the email even if a new one was verified accomplishes that.
No. There should never be more than one link out there that can revert the account. Think about the sequence in your scenario. What if the hacker changes the email twice and verifies both times? Now they have a valid revert link and the owner will also have a still active revert link. Who wins? When do the links get deactivated?
They should expire after a certain amount of time (like the password reset links do) – 24-72 hours sounds good. The reset link for the original email should take precedence over all other emails – when someone tries to take over an account, the original owner’s email is always the first one, so this works. If the infiltrator skips across 10 emails, using the original email’s email reset link should invalidate all of the links for the other 9 past emails. If the person who took the account for whatever reasons uses the email reset on #5, the reset emails for #6 onward are invalidated while the reset emails for #4 and earlier still work.I’m not sure how this would work from a technical point of view, but that’s the most beneficial behavior for us.
What you should be doing is keeping track of the emails that are used on the account. The longer the email has existed with the account the higher priority it should get. In other words, if multiple emails have these links, when one is clicked all links for newer accounts become inactive. This means that even if a hacker were to do this, my email would still be older so I have control.
I don’t mean to necrobump, but I just tested this process again, and it is now working how it should. Revert email will still work after an attacker has confirmed the email change.
