undefined | Better HN

0 pointsghostbrainalpha5y ago0 comments

Could you explain why that's bad for someone who knows nothing about security?

Where should the password reset token be?

0 comments

The token should only be accessible to the user requesting the password reset, meaning that it would be sent via email (this is the standard password reset flow).

The flaw here is that anyone, even if they did not control the email of the user, could reset the password, because the reset token was returned in the browser, where anyone could see it. Essentially, just by knowing someone's email (not having control over it), you could reset their password.

ghostbrainalphaOP5y ago

You did a really great job breaking that down! Thank you!

Jtsummers5y ago

It should’ve been sent via email to the registered email address. That lets the account owner reject it (I didn’t request a password reset!) or use it.

dewey5y ago

In an email sent to the address linked to the account.

j / k navigate · click thread line to collapse