A startup I worked for had this exact same security issue. I brought it up to the tech lead/CEO but they were in denial about it. Handrolled password reset by dummies basically
Why people are still hand rolling common stuff like this is baffling to me. I'm treading on offensive waters here, but I'd guess this is from a nodejs backend, for some reason it seems to be more common to hand roll stuff like this in node than pretty much any other web language/framework I've worked with.
> Why people are still hand rolling common stuff like this is baffling to me
Don't most systems hand roll their own password reset? Using any backend tech, I mean. This isn't crypto, where hand rolling your own solution is almost always a mistake.
Couldn't you just demonstrate the exploit by resetting any password? (by a willing participant, so as not to be considered as doing something illegal). I wonder how your tech lead could deny that.
"Eh that required too much work, no one will try that in real life"
"Oh you were smart enough to open the dev tools and see that, that won't happen irl"
"oh users don't have important enough info stored on this account so it won't hurt to have someone access it" (<- literally a reasoning used by a site I used in defense of poor security. "the attacker only gets access to your last name and the last 4 digits of your credit card, that's not bad enough to need more security")
Don't put it past an incompetent/lazy/underfunded tech lead to dismiss even a one-click account takeover script.
