WT actual F

SolSol Member Posts: 7

So pissed right now.
1. Told my staff we were switching to Wave (despite the inane lack of signature /photo attachment) and set up a user account, sending an invite email.
2. Log into User account and attempt to sign in.. Password wrong
3. MY MAIN PASSWORD is changed!!
4. so basically, you have a MASSIVE SECURITY FLAW WHICH GIVES USER ACCOUNTS RIGHTS TO CHANGE MAIN PASSWORDS!!

Comments

  • SolSol Member Posts: 7

    Specifically what this means is that I have
    1. My admin email that I CREATED the account with. (this is NOT the email that I want on every invoice nor is it the email that I want my staff to have access to)
    2. My add-on email that is the name-of-business email. So this one appears on invoices etc, right? (hopefully I can prevent the admin email from being used??)
    3. When I go to sign in with the add-on email, (lets say as one of my staff, who has access to the business email) all I have to do is click "forgot password" and it lets me reset it...by sending a reset TO THE ADD-ON EMAIL!!! So anyone who has access to the email USED ON THE INVOICES has ABILITY TO OBTAIN TOTAL CONTROL OF THE WAVE ACCOUNT!!
    @WAVEHQ

  • CharlotteCharlotte Member Posts: 671 admin

    Hi @Sol ! Wave is built to have a primary (single) account holder. Secondary addresses that you add to the account also belong to that account holder and therefore share a password. They all live under the "Your Profile" menu. If you would like to add others (employees, business partners, accountants) to your account with their own credentials, we recommend you use Wave's multi-user function, designed for this purpose. You can find the steps here if you'd like a visual, but you should be able to easily find this in your Settings menu on the left navigation. You control the permissions for guest users, and they will not be able to see or edit account-level settings.

    edited October 24, 2018
  • SolSol Member Posts: 7

    You just completely avoided the point or missed it..which is a further concern.
    Can you read my posts and respond to the security concern or find someone in your company that can read it, comprehend it and respond to it rather than giving a cut and past answer?
    Obvious in my post was that I already understand everything you just suggested, so please don't patronize and read more carefully.
    This is a major issue if the only email addresses that can be used by ANY company all have the ability to reset the MAIN password.
    I'm doing you a favor here, please pay attention

Sign In or Register to comment.