I visited Zipcar to see what car makes and models were available in my neighborhood. Alas, I couldn’t log in, because I couldn’t remember my password.
It, apparently, wasn’t one of my standard web passwords, nor was it in 1Password. (I haven’t logged in to the site in over a year.) So, I clicked their password-reset link…
At the first screen, I entered my e-mail address, and clicked
Submit. This form’s HTML was trivial:
<form class="generic-form" method="post" action="user-login" id="login_form" name="login"> <fieldset class="dp_box"> <h2>Forgot your username or password? We can help.</h2> Please verify yourself by providing your email address below: <ul> <li> <label for="email">Email Address:</label> <input type="text" id="email" name="email" size="20" /></li> <li> <div class="form-action-buttons"> <span class="graphical-btn"><button type="submit" class="submit">Submit</button></span></div></li> </ul> </fieldset> </form>
Their server redirected me, I kid you not, to this URL:
There are two problems here. One, their password-reset sequence seems to be broken. Two, that URL is horrific.
3 thoughts on “Zipcar.com embeds messages in query strings”
At least they appear to have considered the potential for cross-site scripting: https://www.zipcar.com/register/index?message=%3Cscript%3Ealert(%27foo%27);%3C/script%3E
That doesn’t remove the potential for making something embarrassing appear as if it’s coming from Zipcar, though: http://bit.ly/2w3J
@David: Oh, that’s excellent!