posted by jf
so we're saying that all the attacker needs to do is: 1. enter the victim's username in the password reset page, 2. bruteforce a list of 5568 possible passwords on the login page.such bruteforce attack would only take a few mins. needless to say when the correct password is found, the victim's account would be compromised.this is a very good example of how NOT to implement a password reset feature! thanks for sharing Jan!
Post a Comment
Create a Link
Copyright © ProCheckUp Ltd | Design adapted from SEO Blogger