Server sends cleartext passwords in email

Description

When a user fills registration form on the website, WebServer sends mail to registered mail id To verify the mail id.

Sometimes, the Password is not taken from the user while registration, the Web server generates the random Password and send it in plaintext over mail after registration.

When a user clicks on Forgot password, some websites reset the Password and send a newly generated Password in plaintext over mail.

Impact

  • User Account will get compromised if an attacker somehow gets access to the victim's mail.
  • User credentials may get exposed.
  • If the same Password is used for multiple accounts, hackers may access other accounts and may change Password and email so that victim could never recover his account.

Prevention

  • Never send the Password in the mail.
  • Implement Password reset functionality using a temporary one time token, which can be sent over mail.