How much do websites trust other companies with their reset password urls?
Many websites use third party assets on their pages, which for most doesn't matter too much: but for the reset password url often results in those parties getting a user access token.
In the time it takes to set your password: those receiving the reset password url can set their own, scrape your account and disappear.
If your attempt to reset the password failed... would you
a) believe you'd entered it wrong
b) think the site had gone wrong
or
c) report it to the website as a security problem.
It's easy to dismiss the problem...
For most sites who cares?
What are the chances someone is misusing this?
Ideally, web browsers should stop sending referer headers completely.
In the meantime, web developers should protect their users, not because it's likely to be abused (I have no reason to believe it is) but because it is their responsibility to look after any user token.
Many websites use third party assets on their pages, which for most doesn't matter too much: but for the reset password url often results in those parties getting a user access token.
In the time it takes to set your password: those receiving the reset password url can set their own, scrape your account and disappear.
If your attempt to reset the password failed... would you a) believe you'd entered it wrong b) think the site had gone wrong or c) report it to the website as a security problem.
It's easy to dismiss the problem... For most sites who cares? What are the chances someone is misusing this?
Ideally, web browsers should stop sending referer headers completely.
In the meantime, web developers should protect their users, not because it's likely to be abused (I have no reason to believe it is) but because it is their responsibility to look after any user token.