I recently changed my REAL address then logged of of spamgourmet. When I later checked my email, I had the confirmation request. I clicked the link and was taken back to spamgourmet where it showed that the new address was now being used.
The flaw I see is that it had me logged in under my account. Had I mistyped the REAL address, the person that got that email could have clicked the link and been taken into my spamgourmet account.
I realize they wouldn't be able to change my password but they could do just about anything else.
Did I do something wrong or is this the correct operation for this feature.