|
|
|
|
|
|
by stonemetal12
2059 days ago
|
|
|
Defense in depth says No, not Ok. For example:
Accidentally open to the internet log server(as above).
Attacker sends password reset request.
Attacker checks log to steal token.
Attacker now has stolen account until owner can't log in and does reset, or perhaps semi-permanently if attacker steals all tokens for said account and invalidates them before owner can use them. |
|
|