Bugs
[Security] Password reset page lacks https
Looks like for now default password reset page (the one that is the user redirected to in email and requites to enter the new password) lacks https, so new user password is sent in plaintext and can be read by third parties.
http://outof.cards/accounts/reset/NDE2/{id} should be https instead, as http version redirects to
http://outof.cards/accounts/reset/NDE2/set-password/ where the password form is.
The perfect solution would be not only change email link, but also make http security related pages https only and redirect http GET requests to them.
Plaittext request contains the following body: csrfmiddlewaretoken=TOKEN&new_password1=123456&new_password2=123456
so getting it the attacker can easily get new user password.
Leave a Comment
You must be signed in to leave a comment. Sign in here.
Looks like for now default password reset page (the one that is the user redirected to in email and requites to enter the new password) lacks https, so new user password is sent in plaintext and can be read by third parties.
http://outof.cards/accounts/reset/NDE2/{id} should be https instead, as http version redirects to
http://outof.cards/accounts/reset/NDE2/set-password/ where the password form is.
The perfect solution would be not only change email link, but also make http security related pages https only and redirect http GET requests to them.
Plaittext request contains the following body: csrfmiddlewaretoken=TOKEN&new_password1=123456&new_password2=123456
so getting it the attacker can easily get new user password.
Just wanted to follow up on this.
Founder, Out of Games
Follow me on Twitch and Twitter.
If you are planning on playing WoW on US realms, consider using my recruit link =)