This topic has 8 replies, 3 voices, and was last updated 8 years by 
-
-
Hi Guys,
I’ve been doing some security / site testing and have come across what is essentially a very serious email issue.
There is literally nothing stopping a ANY malicious oriented person – if they discover the username/email of ANY member on a membership site, from going to the AJAX login form, clicking ‘Lost Password’, adding the username/email and hitting RESET Password AGAIN,….and AGAIN…and AGAIN…and AGAIN…effectively spamming the member’s email address.
I even did it on your SUPPORT SITE – resulting in about 8 emails being sent to my email address in 1 secs!
See attached.
Not only would this kind of behaviour be disastrous for the reputation of a membership site, it could also lead to being blacklisted for SPAM.
It would seem both imperative and sensible to have some kind of ‘limit password reset’ time/attempt option in place in the AJAX code to prevent this – unless you have a better idea?
Cheers,
Grant
The forum ‘Bugs & Issues’ is closed to new topics and replies.