Ok – so I forgot my password on Menshn, again, and went to reset my password. Normal email address+token thing – except I noticed another problem.<\/p>\n
Menshn emails you a link in the form:<\/p>\n
pwreset.php?e=email@address.com&c=8chartoken<\/pre>\nAt least they are not emailing plain text passwords again. But, I noticed that the token link can be used both multiple times, and it does not expire.<\/p>\n
Requesting a new token to be emailed to you invalidates earlier tokens – however it remains the case that the most recent pwreset token stays valid.<\/p>\n
Ooops. Bad Menshn, bad. Back to the naughty corner for you.<\/p>\n
At least clear the stored token when the user uses it once (and ensure you don’t accept blank tokens).<\/p>\n","protected":false},"excerpt":{"rendered":"
Ok – so I forgot my password on Menshn, again, and went to reset my password. Normal email address+token thing – except I noticed another problem. Menshn emails you a link in the form: pwreset.php?e=email@address.com&c=8chartoken At least they are not emailing plain text passwords again. But, I noticed that the token link can be used … <\/p>\n