My app sends a password reset link to any email I type. Is that bad?
That alone isn't a bug — every app leaks 'this email exists' unless you specifically hide it. The real question is what happens when someone clicks the reset link. If the link works without checking who's logged in, anyone can take over any account. Test: request a reset for a friend's email and see if you can use the link.
Two separate things can be wrong here — one is mild, one is a full account-takeover bug.
**Mild: email enumeration.** Your app telling attackers 'yes, that email has an account here' helps them target users. Fix by showing the same message ('if that email exists, we sent a link') whether or not the account exists. Also add rate-limiting so attackers can't batch-test millions of emails.
**Severe: reset-link takeover.** A reset link should be a short-lived random token that can be used once and only by someone who can read the email it was sent to. Broken versions include: - Token is predictable (sequential IDs, simple hashes of the email) - Token doesn't expire, or expires too far in the future (24h+ is too long) - Token can be reused - The reset page doesn't verify the token server-side before accepting the new password - The reset link is sent in plaintext and can be intercepted on public Wi-Fi
Test yours: request a reset, copy the link, open it in an incognito window. Does it let you set the password without knowing the old one? If yes, that's the intended flow — the bug is in the token, not the flow. Look at the token value: is it random-looking (good) or predictable (bad)?
Securie's free scan (launching this year) will test your reset flow end-to-end and tell you whether the token is strong enough. Join the list and we'll run it in week 1.