Password Reset Link Doesn’t Expires On Email Change

Jerry Shah (Jerry)
2 min readFeb 5, 2020

Summary :

When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct. This can be listed under improper authentication.

When any user sends the password reset link but does not use it and it remains unused in the user’s inbox, here if in any case the attacker gets access to the victim’s main inbox (gmail or yahoo) he/she can takeover the account on the other websites which is being used by the user with the same email.

Why this happens ?

  1. Websites forget to set the email expiration time.
  2. Websites doesn’t expires the old password reset link on email change
  3. Websites doesn’t expires the password reset token after being used once

How to find this vulnerability ?

  1. Go to your target website and send a reset link to your account
Password Reset Page

2. Now don’t use it, just login to your account and change the email

Email Changed

3. Now after changing the email and confirming it logout of the account and use that old password reset link to reset the password which was sent to your old email address.

Password Reset Link to Old Email

4. Now Reset the password

Resetting the password

5. Log in with the changed password

Logging in with the changed password

NOTE : In real case scenario it is only possible if your main account (gmail/yahoo) gets compromised. But 70 out of 100 websites accepts this risk so you can report it.

Thank You :)

Instagram : jerry._.3



Jerry Shah (Jerry)

|Penetration Tester| |Hack The Box| |Digital Forensics| |Malware Analysis|