If one goes to checkout while not logged on, the user is presented with fields to register (or a link to logon). If one already has an account and uses that information in the registration form, then the order is placed on that account, even if the password given is wrong. This could be used maliciously. Once we are taking credit cards there will be the additional check of giving the correct credit card number which should stop most uses. If the correct password is given, the user is logged on at the completion of checkout. If the password is wrong, the user is not logged on so it is not a severe security exposure.
Required actions:
- report bug
- fix if possible
- wait for fix
- apply fix
- reverify