Password Reset Token Issue [app.legalrobot.com]
Password Reset Token Issue [app.legalrobot.com] Summary Can still change password without token Step to Reproduce Request for password reset link. Go to email and click on password reset link https://app.legalrobot.com/password-reset/token?v=uWe_yFJS0-N9fIk0nG0b0NZ70lkwNNi7RdUZu0KhiaX Now remove the token and use the link https://app.legalrobot.com/password-reset Observe that able to reset the password without the token. Fix : Always password reset link should work with a valid token. Reference : https://hackerone.com/reports/253934 At first time my report got N/A and I explain little bit and get bounty 20$ yay, you can see my original report on https://hackerone.com/reports/265775 Thanks,