If we change a Webex users email address (say by webex.com or idbroker.webex.com) then the original email address is sent an email identifying that a change has been made and to check the new emails address; the new email address receives a similar notification, but also contains a "confirm email" button to complete/confirm the changing of email address.
If the email address change is made by API call then no such emails are sent.
This lack of confirmation will be seen as a security loophole, allowing people to randomly change the email address associated with a Webex account (e.g. to their own email!), so needs resolving a.s.a.p. please before our customers/resellers recognise this limitation and complain to us.
I appreciate that when a change is made via API call, the change can only be made by an Org Administrator, and that a user who's given the Administrator role should be vetted by the Org to ensure that they are capable of managing users correctly and not cause any issues where they purposely change user information without that user's consent.
However, even if the change is made by an Administrator, I would think that from a security perspective, the impacted end user ought to be informed (as a double-check that nothing awry is going on) - standard security principles state that you should “always protect against the malicious insider” (especially if they have elevated privilege)!
I also note that in most cases I have experienced, even if I change my own email address on a website or in an application, both my old and new email addresses are notified …