I’ve just tried to change the email address of an already registered (and confirmed) customer. Surprisingly, that change worked instantaneously - without requiring the new email address to be confirmed (no new confirmation email was sent)
Is that intended? Isn’t that insecure?
You want the initial email address to be confirmed (that’s good!) but subsequent changes are accepted without any confirmation?
This makes the initial confirmation worthless as one could use a single email address to set-up a confirmed account and then change the address to that of another person.