Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

But what if the attacker deleted the verification email after they merged the GitLab accounts? Then they still have a backdoor to your GitLab.


As far as I can see you are assuming an attacker with permanent access to your main email account.

If someone has persistent to your main email account you will have all kinds of problems.


I agree sibling comments are not quite correct about persistent email access. You could fix the email problem while the "backdoor" to Gitlab remains.

The problem statement says this about corrective action:

>I discover the hack and change the passwords on every account I know about

In actuality, the corrective action is to change the passwords and revoke any SSO integrations.

To the original point, this does add more overhead to the process, probably isn't obvious to most people, and depends on the site having clear UI for the topic.


As somebody else said, once your email is compromised you are fucked and have far larger problems than a single individual site.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: