I was about to close the tab when I noticed it. The password reset email from the fintech startup used http:// instead of https://. At first glance, it seemed minor—until I realized the reset token in that insecure link was all an attacker needed to take over any account. This "low-severity" find turned into a critical demonstration of how authentication systems fail at the most basic level.
Press enter or click to view image in full size
When HTTPS Becomes Optional: The Verification Link Problem
Many developers assume that because the login page uses HTTPS, their entire application is secure. But the emails they send tell a different story.
The Real-World Impact:
On a popular productivity app, I found that account verification links were sent over HTTP. The sequence went like this:
- User registers at
https://app.com/signup - App sends verification email with link:
http://app.com/verify?token=abc123 - User clicks link and gets automatically logged in
The vulnerability? Anyone intercepting that email (on public Wi-Fi, compromised email account, or malicious ISP) could capture the token and hijack the account…