> If your email is being "watched" by someone else, then that someone else c... | Hacker News

Hacker News .hnnew | past | comments | ask | show | jobs | submit

		sneak on June 14, 2011 \| parent \| context \| favorite \| on: If you develop web apps, don't do this. > If your email is being "watched" by someone else, then that someone else can access other web services that you own WITHOUT requiring to type passwords! The person watching your email can ALREADY DO THAT NOW by clicking on the "I forgot my password" link, intercepting the reset email, and then setting a new password and logging in.

skrebbel on June 14, 2011 [–]

That assumes someone has live access to your email. If someone has a recent enough dump (or simply a mail you forwarded yourself, because you didn't understand the security implications), then the "forgot password" button does really provide more security than login tokens inside the URL.

Consider applying for YC's Summer 2026 batch! Applications are open till May 4
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact