Password Disclosure in Password Recovery
Variants:
Direct
Vector Type:
Vulnerability
Relevance:
Generic
Layer:
Application-Level
Platforms:
Any
Target Type:
Application
Affected Mechanisms:
Password Recovery, Secure Design
Invented In:
01/01/1999
Added In:
21/12/2014
Vector Operation Method:
The password recovery mechanism discloses the password in the email response or after the final verification, risking its disclosure to unauthorized entities, instead of requiring the user to select a new password.
