Zipcar.com embeds messages in query strings


I visited Zipcar to see what car makes and models were available in my neighborhood. Alas, I couldn’t log in, because I couldn’t remember my password.

It, apparently, wasn’t one of my standard web passwords, nor was it in 1Password. (I haven’t logged in to the site in over a year.) So, I clicked their password-reset link…

At the first screen, I entered my e-mail address, and clicked Submit. This form’s HTML was trivial:

<form class="generic-form" method="post" action="user-login" id="login_form" name="login">
    <fieldset class="dp_box">
<h2>Forgot your username or password?  We can help.</h2>
Please verify yourself by providing your email address below:
<ul>
	<li>
                <label for="email">Email Address:</label>
                <input type="text" id="email" name="email" size="20"  /></li>
	<li>
<div class="form-action-buttons">
                    <span class="graphical-btn"><button type="submit" class="submit">Submit</button></span></div></li>
</ul>
</fieldset>
</form>

Their server redirected me, I kid you not, to this URL: 

https://www.zipcar.com/register/index?message=Enter+your+username+or+Zipcard+number+and+password%2e++
Your+username+was+orginally+made+up+of+the+first+part+of+your+e%2dmail+address%2c+
before+the+%27%40%27+sign+%28your+welcome+letter+has+this+information+as+
well%29%2e+Your+Zipcard+number+is+on+the+bottom+right+corner+of+your+Zipcard%2e.

There are two problems here. One, their password-reset sequence seems to be broken. Two, that URL is horrific.

3 comments
  1. At least they appear to have considered the potential for cross-site scripting: https://www.zipcar.com/register/index?message=%3Cscript%3Ealert(%27foo%27);%3C/script%3E

  2. That doesn’t remove the potential for making something embarrassing appear as if it’s coming from Zipcar, though: http://bit.ly/2w3J

  3. John said:

    @David: Oh, that’s excellent!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: