Bugs realm avatar Bugs realm home

Bugs

0 Characters Joined
Create Thread
Bugs | Posted by | 6 years, 10 months ago
Discussion

[Security] Password reset page lacks https

Looks like for now default password reset page (the one that is the user redirected to in email and requites to enter the new password) lacks https, so new user password is sent in plaintext and can be read by third parties.

http://outof.cards/accounts/reset/NDE2/{id} should be https instead, as http version redirects to

http://outof.cards/accounts/reset/NDE2/set-password/ where the password form is.

The perfect solution would be not only change email link, but also make http security related pages https only and redirect http GET requests to them.

Plaittext request contains the following body:  csrfmiddlewaretoken=TOKEN&new_password1=123456&new_password2=123456

so getting it the attacker can easily get new user password.

2 Share

// join_the_conversation

Sign in to share your thoughts, vote on comments, and connect with the community.

Sign in Create account

Comments

Sort by:
Oldest Newest Top

  • Looks like for now default password reset page (the one that is the user redirected to in email and requites to enter the new password) lacks https, so new user password is sent in plaintext and can be read by third parties.

    http://outof.cards/accounts/reset/NDE2/{id} should be https instead, as http version redirects to

    http://outof.cards/accounts/reset/NDE2/set-password/ where the password form is.

    The perfect solution would be not only change email link, but also make http security related pages https only and redirect http GET requests to them.

    Plaittext request contains the following body:  csrfmiddlewaretoken=TOKEN&new_password1=123456&new_password2=123456

    so getting it the attacker can easily get new user password.

  • Just wanted to follow up on this.

    • No urls on the site are able to be used on HTTP anymore. This was updated late last week.
    • A bug has been logged for the urls being sent in emails to correctly send with HTTPS as the protocol