embeds messages in query strings

I visited Zipcar to see what car makes and models were available in my neighborhood. Alas, I couldn’t log in, because I couldn’t remember my password.

It, apparently, wasn’t one of my standard web passwords, nor was it in 1Password. (I haven’t logged in to the site in over a year.) So, I clicked their password-reset link…

At the first screen, I entered my e-mail address, and clicked Submit. This form’s HTML was trivial:

<form class="generic-form" method="post" action="user-login" id="login_form" name="login">
    <fieldset class="dp_box">
<h2>Forgot your username or password?  We can help.</h2>
Please verify yourself by providing your email address below:
                <label for="email">Email Address:</label>
                <input type="text" id="email" name="email" size="20"  /></li>
<div class="form-action-buttons">
                    <span class="graphical-btn"><button type="submit" class="submit">Submit</button></span></div></li>

Their server redirected me, I kid you not, to this URL:

There are two problems here. One, their password-reset sequence seems to be broken. Two, that URL is horrific.

  1. At least they appear to have considered the potential for cross-site scripting:;%3C/script%3E

  2. That doesn’t remove the potential for making something embarrassing appear as if it’s coming from Zipcar, though:

  3. John said:

    @David: Oh, that’s excellent!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: