Menshn: Another password design flaw

Ok – so I forgot my password on Menshn, again, and went to reset my password. Normal email address+token thing – except I noticed another problem.

Menshn emails you a link in the form:

pwreset.php?e=email@address.com&c=8chartoken

At least they are not emailing plain text passwords again. But, I noticed that the token link can be used both multiple times, and it does not expire.

Requesting a new token to be emailed to you invalidates earlier tokens – however it remains the case that the most recent pwreset token stays valid.

Ooops. Bad Menshn, bad. Back to the naughty corner for you.

At least clear the stored token when the user uses it once (and ensure you don’t accept blank tokens).

One Reply to “Menshn: Another password design flaw”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.