Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It's talking about email verification, not password reset systems. In other words, those types of URLs should only establish a connection between an account and an email address: they shouldn't act as a means of authentication.


Ah ok.

Aren't both of these equivalent though?

(I would think the point may be that a compromised email, doesn't provide access later. Both these scenario are equally vulnerable then?)


It would also be to make sure an attacker can't just iterate through or guess at the emailed URLs and get valid, logged-in sessions without needing to properly authenticate.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: