![[philiptellis]](https://en.gravatar.com/userimage/3079306/f13167d69aa4e1cb5e5f131af4e38e3e.jpeg)
It's been a while since my last two posts on the topic. This time it's Groupon.
The password reset page is over HTTP:
The reset password email that you receive contains a link that looks like this:
http://groupon.com/users/password_reset/{token}?utm_source=password_reset \
&utm_medium=email&sid={sid}&user={uid}&date={YYYYmmdd}
This link does a 301 to itself and then a 302 to a HTTPS version of itself.
The good thing is that your new password is sent over SSL. The bad thing is that your reset token is sent in clear text.
Update: This issue has been fixed by Groupon a couple of hours after reporting it.
0 comments :
Post a Comment