|
|
|
|
|
|
by the_af
13 days ago
|
|
|
> You can deny it, or if you ignore it for 30 days the request goes through That's a good measure, but it would fail for the attack scenario in TFA: the attacker claims their account was hacked, so presumably (if the support AI "believes" them) the notification email is compromised. If the account was hacked, you cannot let the one receiving the notification cancel your recovery attempt, which they will of course try to do. Of course in this exploit it's all a lie, but what if your account truly was hacked and your were genuinely trying to recover it? |
|
|