Persistent Password Recovery Token
Variants:
Direct
Also Known As:
Ineffective Password Recovery Process Termination
Vector Type:
Vulnerability
Relevance:
Generic
Layer:
Application-Level
Platforms:
Any
Target Type:
Application
Affected Mechanisms:
Password Recovery
Invented In:
23/12/2014
Added In:
23/12/2014
Vector Operation Method:
The application does not invalidate password recovery token and password recovery initialization challenges after a failed or successful recovery attempt, extending the timeframe an attacker could use to bruteforce these identifiers.
