

HTTP Referer header security: who has your reset password url? - markarichards
https://www.reddit.com/r/websec/comments/3hcypq/you_can_send_reset_password_urls_to_sites_that/

======
markarichards
How much do websites trust other companies with their reset password urls?

Many websites use third party assets on their pages, which for most doesn't
matter too much: but for the reset password url often results in those parties
getting a user access token.

In the time it takes to set your password: those receiving the reset password
url can set their own, scrape your account and disappear.

If your attempt to reset the password failed... would you a) believe you'd
entered it wrong b) think the site had gone wrong or c) report it to the
website as a security problem.

It's easy to dismiss the problem... For most sites who cares? What are the
chances someone is misusing this?

Ideally, web browsers should stop sending referer headers completely.

In the meantime, web developers should protect their users, not because it's
likely to be abused (I have no reason to believe it is) but because it is
their responsibility to look after any user token.

