[eterm]

For analytics this isn't a big problem.

Once a reset link has been clicked, it should be immediately invalidated.

So unless the server was able to respond to the link and provide the analytics stuff but not somehow invalidate the token, I can't see how this is a problem.

Another related problem is that some third party mailers move all their links via URL redirectors. In that case there's a chance the host application fails and the link is left valid.

[fahrradflucht]

>Once a reset link has been clicked, it should be immediately invalidated.

I'm not sure about this... Couldn't this produce some unexpected reset failures in cases of browsers preloading links in webmail clients?

[mgbmtl]

Drupal (and WordPress, if I recall correctly) invalidate immediately. Considering reset links are sent in plain text by email, it's a good way to test whether the link has been used by someone else.

Besides, it would be an odd security hazard if browsers/webmails preloaded links in emails (malicious URLs in spam/scams).

edit: in Drupal, the reset link loads a page with a button that the user must click on. This avoids issues with potential preload or anti-virus scans.

[zaroth]

What if they click the link but don't click the button? Do they need another password reset token at that point? If not, is there still an attack window there that needs to be plugged?

[mgbmtl]

The links usually expire after 24 hours (attack window), if unused.

Loading the page without clicking does not invalidate the link.

I agree this is not highly secure. It's basically one notch above sending cleartext passwords by email (which many websites unfortunately still do).