I was surfing a website, http://www.99acres.com, few days back and tried to retrieve my password using “Forgot Password” page. As I entered my username, I was amazed to see my email address shown there. I, then, tried another name such as “karthik” and following was the message:“An email has been sent to firstname.lastname@example.org. Please click on the link provided in the email to create a new password.”Take a look at the screenshot below as an evidence of the vulnerability.
As 99acres.com is one of the India’s largest retail website, one could easily write an automated script and retrieve email addresses of millions of users and then, use different techniques to retrieve few passwords as well.
The solution is pretty simple. The response message could look like following:
“An email has been sent to your registered email address. Please click on the link provided in the email to create a new password.”
Follow him on Twitter and Google+.
Latest posts by Ajitesh Kumar (see all)
- Top 6 Freelance Jobs Websites for 2016-2017 - January 23, 2017
- AngularJS, Angular-UI Router Hello World Starter App – Code Sample - January 22, 2017
- Microservices, Continuous Delivery & AWS Cloud – Part 1 - January 16, 2017