Password reset link doesn't expire

From Hackipedia
Jump to: navigation, search
Hackerone #14461
Target: Factlink
Target Module:
Type: Best Practice
Payload:
Original: Link
CVE:
Archive

Password reset functionality can be rife with errors. In this particular case, password reset tokens where not expiring after an amount of time. This greatly increases the odds of malicious users guessing correct reset tokens and hijacking an account.

How To Perform

  1. Create account
  2. Perform password reset operation
  3. Observe time of validity for link