| ▲ | dybber 2 hours ago | |||||||
> The first proper zero auth password reset I've seen in production. LinkedIn had one back in the day, before you got paid for discovering it I guess, never got a decent reply from them, but they eventually solved it. It went like this: they assumed that if you could read mail sent to some address, that address was yours and could be added to your account. So if I send you a LinkedIn invite to an email address, and you click the accept invite button, that email address was added to your account. You could then send this email to any address you controlled (let’s say foo@example.com), then use the invite button link in a forged email and send it to someone else on their email, whenever they clicked foo@example.com was added to their account without them knowing. When you got the response that you were friends, you also knew that you know had an email address added to that users account and you could do a full password reset by using the foo@example.com that you initially sent the email to. I found it because someone invited a whole mailing list and after clicking it the mailing list email was suddenly added to various peoples accounts. | ||||||||
| ▲ | _hyn3 an hour ago | parent [-] | |||||||
> someone invited a whole mailing list IIRC, LinkedIn would email everyone in your "address book" (or anything else it could find) back in the day. | ||||||||
| ||||||||