this password reset feels like the tip of an iceberg.
leaking emails on reset? credential stuffing?
this is basic stuff in auth, which brings my to my next point: this screams a homerolled auth system by someone with little experience or a lapse in judgment. id bet the former. wonder what else you’d fine if you looked around. good time to double check those cookie settings and maybe google “owasp top 10”
nostr:nevent1qqswh5upmuma0h89vdnh7pnk6ap637xg0mtt0k32hwaxrxm98vuv28cpzemhxue69uhhyetvv9ujuurjd9kkzmpwdejhg0f4n4v