Email Verification Link can be Used as Password Reset Link!

ID H1:98469
Type hackerone
Reporter karimrahal
Modified 2015-12-03T11:07:42


Hello again!

basically,I have found a new issue which allows attacker to use a Email Verification Link and make it into a password reset link!

Proof Of Concept: When you Send a Email Verification Link It looks like this ""

Remove "step=account" from the URL, and tadaa! you will see once u enter the email you can change password!

Thank you, -Karim