How “Forgot Password” can cost you your account

Password reset link not expiring

After a user has used a password reset token, that token should be burned and should not be used for that account again. The problem is that sometimes developers forget to invalidate these tokens. This would allow several attack avenues such as the attacked being able to generate an infinite amount of tokens because the…



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store

No b*llshit Hacking tutorials with extreme value in short bursts