I was playing around with the Contest extension and used "hhhh@f" as my e-mail address. The extension accepted this e-mail address (which ought to be the subject of another bug), but more disturbingly, the extension silently set my global e-mail address as "hhhh@f" and marked the e-mail address as being confirmed/authenticated. The Contest extension shouldn't touch user.user_email at all. And it most certainly shouldn't do so silently.
Version: unspecified
Severity: normal