Paul Gregg

Jack of all Tech.

Menshn: Another password design flaw

Ok – so I forgot my password on Menshn, again, and went to reset my password. Normal email address+token thing – except I noticed another problem. Menshn emails you a link in the form: pwreset.php?e=email@address.com&c=8chartoken At least they are not emailing plain text passwords again. But, I noticed that the token link can be used […]

Read the rest of this entry »