LEFT SIDEBAR AD

Hidden in mobile, Best for skyscrapers.

The “Immortal” Password Reset Link: A Bug Hunter’s Delight

2 days ago 12
BOOK THIS SPACE FOR AD
ARTICLE AD

Garvsanwariya

Ah, the humble password reset link. Designed to be a one-time savior for the forgetful user. But what if it had the resilience of a cockroach? What if, instead of expiring, it just kept working like a gift that keeps on giving? Welcome to the world of “Immortal” password reset links — a hacker’s dream and a security nightmare.

1. Request a password reset link at `https://site.com/users/forgotten_password`.
2. Check your email for something like `https://site.com/users/new_password?reset_token=your-reset-token`.
3. Reset your password once, twice, thrice — hell, as many times as you want!

Impact:
If an attacker gains access to a user’s email (or finds the link elsewhere), they can hijack accounts at will. Who needs phishing when you can just use the same token forever?

🔗 [HackerOne Report](https://hackerone.com/reports/898841)

— -

1. Request a password reset at `https://infogram.com/forgot`.
2. Ignore the first link and request a new one.
3. Use the second reset link to change your password.
4. Now, go back and try using the first reset link. Boom — still works!

Impact:
If an attacker steals an old reset link, it’s game over. Password changes should invalidate old reset links, but some developers just love to live dangerously.

🔗 [HackerOne Report](https://hackerone.com/reports/283550)

— -

1. Request a password reset but don’t use it.
2. Change your password manually from your account settings.
3. Go back and use the old reset token — yep, it still works!

Impact:
If someone ever gets access to that token, they can reset your password even after you changed it. Imagine a cybercafé situation where a user forgets to log out — free accounts for everyone!

🔗 [HackerOne Report](https://hackerone.com/reports/948345)

— -

1. Request a password reset.
2. Copy the reset link but don’t use it yet.
3. Log in and change your email.
4. Now, use the old password reset link — yes, you can still reset the password!

Impact:
Users who think they’re safe after changing their email are in for a rude awakening.

🔗 [HackerOne Report](https://hackerone.com/reports/685007)

— -

1. Request a password reset on `https://card.starbucks.com.sg/forgetPassword.php`.
2. Capture the request in Burp Suite and modify the email parameter to your victim’s email.
3. Congratulations! The reset link is now yours!

Impact:
No need for phishing — just some creative request tampering and you own someone’s account.

🔗 [HackerOne Report](https://hackerone.com/reports/315879)

— -

1. Password Reset Token Leak via Referer Header

1. Request a password reset.
2. Click on any social media link from the reset page.
3. Capture the request headers and check the Referer header.
4. If the reset token is in the Referer, congrats, you just leaked it!

🔗 [HackerOne Report](https://hackerone.com/reports/751581)

— -

2. Password Reset Token Leak via Response

1. Request a password reset.
2. Intercept the response and see if it includes the reset link.

Impact:
If the reset link is returned in the response, it can be stolen via browser extensions, XSS, or MITM attacks.

🔗 [Medium Article](https://medium.com/@yassergersy/account-take-over-via-reset-password-f2e9d887bce1)

— -

3. Password Reset Token Leak via Email Parameter Manipulation

Try injecting additional emails into the reset request:

email=victim@xyz.com&email=attacker@xyz.com

If you get a copy of the victim’s reset email — well, you know what to do.

🔗 [HackerOne Report](https://hackerone.com/reports/1175081)

— -

4. Host Header Poisoning in Password Reset

1. Intercept the request.
2. Change the Host header to your malicious domain.
3. If the reset email contains your malicious link instead of the real one, you win.

🔗 [HackerOne Report](https://hackerone.com/reports/226659)

— -

Conclusion

If you’re a bug bounty hunter, these are the gifts that keep on giving. If you’re a developer, fix your damn password reset flows. Security isn’t just about writing code — it’s about writing good code.

Got any immortal reset links lying around? Maybe it’s time to make a HackerOne report and cash in before the real bad guys do. Happy hunting!

Recommendations to Fix These Issues

1. Expire Reset Links After Use — Implement strict one-time-use policies for reset tokens.
2. Invalidate Old Reset Links— When a new reset link is requested, old ones should become useless.
3. Token Expiry Time— Set a short expiration time (e.g., 10–15 minutes) for reset links.
4. Change Reset Token on Password Update — Reset tokens should become invalid if the user manually changes their password.
5. Restrict Password Reset to Last Known Email — Don’t allow password resets if the email was changed recently.
6. Monitor for Anomalous Requests — Implement logging and rate limiting on password reset attempts.

Security is all about making the attacker’s job harder. Let’s not make it easy for them, shall we?

For more detailed bug bounty checklists and methodologies, check out Bugbounty-Checklist.

Read Entire Article
  3. The “Immortal” Password Reset Link: A Bug Hunter’s Delight

Related

Master NFS Enumeration with RPCScan & SuperEnum | Ultimate Bug Bounty & Pentesting Guide!

Master NFS Enumeration with RPCScan & SuperEnum | Ultimate Bug Bounty & Pentesting Guide!

I Found a Critical Bug in JWT Authentication and Earned $10,000 — Here’s How You Can Too!

I Found a Critical Bug in JWT Authentication and Earned $10,000 — Here’s How You Can Too!

My First Bug Bounty Success: Earning $500 by Uncovering a DoS Vulnerability

My First Bug Bounty Success: Earning $500 by Uncovering a DoS Vulnerability

How I Hacked My School Website (And Reported It!)

How I Hacked My School Website (And Reported It!)

The Ultimate Roadmap to Becoming a Bug Bounty Hunter

The Ultimate Roadmap to Becoming a Bug Bounty Hunter

Bug Bounty Automation: Save Time with These Smart Hacking Scripts — @verylazytech

Bug Bounty Automation: Save Time with These Smart Hacking Scripts — @verylazytech

Trending

1. Earthquake Kolkata
2. Nothing Phone 3a
3. Royal Challengers vs Warriorz
4. Bangladesh
5. Kisan Samman Nidhi
6. Michael bracewell
7. Bangladesh vs New Zealand
8. Prajakta Koli
9. Sensex Nifty Stock Market
10. Mahashivratri

Popular

Install waybackurls on Kali Linux

Install waybackurls on Kali Linux

1-click RCE in Electron Applications

1-click RCE in Electron Applications

Microsoft Office Professional Plus 2019 (x64 & x86) Multilingual + Pre-Activated

Microsoft Office Professional Plus 2019 (x64 & x86) Multilingual + Pre-Activated

Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys

Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys

Autodesk Revit 2023 R1 Build 23.0.11.19 (x64) Multilingual + Crack

Autodesk Revit 2023 R1 Build 23.0.11.19 (x64) Multilingual + Crack

Install DalFox on Kali Linux

Install DalFox on Kali Linux

Adobe Master Collection CC 2022 v25.08.2022 (x64) Multilingual Pre-Activated

Adobe Master Collection CC 2022 v25.08.2022 (x64) Multilingual Pre-Activated

Maxon CINEMA 4D Studio S22.123 (x64) Multilingual + Crack

Maxon CINEMA 4D Studio S22.123 (x64) Multilingual + Crack

The best Mini LED TV I've tested isn't made by LG or TCL, and it's on sale for Black Friday

The best Mini LED TV I've tested isn't made by LG or TCL, and it's on sale for Black Friday

‘We are not motivated by profits’ – Open Bug Bounty maintainers on finding a niche in the crowdsourced AppSec market

‘We are not motivated by profits’ – Open Bug Bounty maintainers on finding a niche in the crowdsourced AppSec market

BOOK THIS SPACE FOR AD
RIGHT SIDEBAR BOTTOM AD
Bengali (Bangladesh) Bengali (Bangladesh) · English (United States) English (United States) ·
About Us · Terms & Condition · Contact Us
© Security Alert 2025. All rights are reserved