Password Recovery Destination Manipulation via Parameter Tampering
Variants:
Direct
Vector Type:
Attack
Relevance:
Generic
Layer:
Application-Level
Platforms:
Any
Target Type:
Application
Affected Mechanisms:
Password Recovery, Secure Design
Invented In:
01/01/1999
Added In:
23/12/2014
Vector Operation Method:
Attackers can manipulate the application into sending recovered passwords or recovery challenge tokens to an email address or phone they control, by manipulating inputs sent from the client to the server during the recovery process.
