Email Change Security: Missing Verification and Notification Controls

[TheCyberDesk]

I am moving the below to the discussion board following feedback from a security submission.

Summary

Pterodactyl's email change functionality lacks two critical security controls that are industry standard across major platforms: email verification and old email notification. While password re-entry is required (which is good), the absence of these controls creates two significant security risks that I believe warrant discussion and consideration for future versions.

The Issues

Issue 1: No Email Verification to New Address

When a user changes their email, the new address is immediately activated without any verification that the user actually controls that email address.

Security Implications:

• Users can claim any email address without proving ownership
• Enables impersonation attacks (e.g., changing email to support@hostingcompany.com to appear as legitimate staff)
• Combined with compromised credentials, facilitates account takeover with no recovery path for the victim
• No way for other users to distinguish verified vs. unverified email addresses

Issue 2: No Notification to Old Address

When an email is changed, the original email address receives zero notification about the change. The user whose account has been modified has no way of knowing their email was changed unless they happen to log in and check.

Security Implications:

• If credentials are compromised (data breach, keylogger, phishing), victim receives no alert that their email was changed
• Delayed discovery means attacker has time to complete password reset and fully take over the account
• No opportunity for the legitimate user to cancel an unauthorized change
• Victim may not discover the compromise for weeks or months

1. Industry Standards and Guidelines

NIST SP 800-63B (Digital Identity Guidelines), Section 6.1.2.3:

"When a subscriber's email address is changed, the CSP SHALL send a notification to the old email address. The notification SHOULD include information on how to report unauthorized activity."

OWASP Authentication Cheat Sheet:

"Require email verification when changing account email address. Send a notification email to the current address."

CWE-620: Unverified Password Change:

"The product does not properly verify the user's intent when the user wishes to modify or update some security-critical data, such as a password or authentication credentials."

CWE-451: User Interface Misrepresentation of Critical Information:

"The user interface (UI) does not properly represent critical information to the user, allowing the information to be spoofed or obscured."

Displaying unverified emails as if they're legitimate misrepresents critical security information to other users.

3. Real-World Attack Scenarios

Scenario A: Credential Stuffing Campaign

• Attacker obtains credentials
• Automated script tests credentials against known Pterodactyl installations
• For each successful login, script changes email to attacker-controlled address
• Password requirement doesn't stop this (attacker has the password)
• No notifications sent to victims
• Weeks later, victims discover they're permanently locked out
• Password reset goes to attacker's email

Scenario B: Social Engineering via Email Impersonation

• Hosting company uses Pterodactyl for customer game servers
• Attacker creates account, changes email to support@hostingcompany.com
• No verification required to claim this email
• Attacker contacts customers via Discord offering "official support"
• Customers check panel, see verified company domain, trust the attacker
• Grant elevated server permissions
• Attacker does what an attacker would do
• Company faces reputation damage, customer loss, possible regulatory action

Every major platform implements email verification and notification.

Proposed Solution

I believe Pterodactyl should implement the following controls to align with industry standards:

Minimum Required:

1. Email Verification

• User requests email change
• System generates unique verification token
• Verification email sent to NEW address: "Click here to confirm email change"
• Email change remains PENDING until link is clicked
• Token expires after 24 hours
• Display "Email Unverified" status during pending period

2. Old Email Notification

• Immediately send notification to OLD email when change is requested
• Include: new email address, timestamp, IP address, user agent
• Provide "I didn't authorize this - cancel immediately" link
• Link cancels pending change and alerts user to potential compromise

Recommended:

3. Cancellation Window

• Even after new email is verified, implement 24-hour waiting period
• During this time, old email can still cancel the change
• Provides safety net if legitimate user discovers compromise

4. Rate Limiting

• Maximum 3 email change attempts per 24 hours
• Prevents automated mass exploitation via credential stuffing

5. UI Indicators

• Display "Email Verified" badge for confirmed emails
• Display "Email Unverified" warning for pending changes
• Show verification status in subuser lists and activity logs
• Helps prevent impersonation attacks

Benefits of Implementation

1. Prevents Account Takeover: Victims receive immediate notification of unauthorised email changes, allowing them to cancel before password reset
2. Prevents Impersonation: Email verification proves ownership, preventing users from claiming company/staff email addresses
3. Aligns with Standards: Meets NIST SP 800-63B and OWASP guidelines
4. Protects Hosting Providers: Reduces liability and reputation damage from impersonation attacks