June 19, 2026

The One Thing Nobody Checks in Password Reset (And Why It Pays)

Everyone tests the token. Nobody tests the after.

Decline

2 min read

Password reset flows are my favorite thing to test.

Not because they're easy. Because everyone checks the same things and misses the weird stuff.

Here's what I mean.

– -

What Everyone Tests

Token expiration. Rate limiting. User enumeration. Host header injection.

Basic stuff. Good to check. But most programs have fixed these.

So you test. Find nothing. Move on.

That's where the good stuff hides.

– -

The Check That Nobody Does

After you reset your password, what happens?

Most hunters stop at "I can reset the password." They log in with the new password. Report the bug. Done.

But there's a whole world of bugs in what happens after.

What I test:

Log in with the new password. Then log out. Then try the old password again.

Sometimes the old password still works. The server didn't invalidate it properly. That's a bug.

Try the reset link again. Does it still work? Sometimes it does. That means the token isn't invalidated after use. Not great.

Try the reset link on a different browser. Shouldn't work. Sometimes it does.

Try the reset link after changing your password through the normal profile update. Does it still work? Shouldn't.

– -

The One That Paid $1200

I found a site where you could reset your password. Everything looked secure.

But after I reset, I noticed something weird. The old session cookie still worked.

I could have two sessions at the same time. One with the new password. One with the old password.

The server never invalidated old sessions after a reset. Which meant if someone stole your cookie, you changing your password wouldn't kick them out.

That's a session management bug. $1200.

– -

Why This Works

Developers test the reset flow. They test the token generation. They test the email.

They forget to test what happens after the reset.

Because that's "already done." The hard part is over. They move to the next feature.

That's where you come in.

– -

What You Should Test Next Time

After you reset a password:

  1. Try the old password
    1. Try the reset link again
    1. Check if old session cookies still work
    1. Check if you can reset from a different IP
    1. Check if you can reset while already logged in
    1. Check if the reset link works after a second reset request

All of these are things the developer probably didn't check. One of them might pay.

– -

A Quick Story

I once tested a reset flow. Found nothing. Token was secure. Rate limiting was on.

Then I tried something random. I requested a reset. Logged in with the new password. Then I went back to the reset page and used the same link to change the password again.

It worked. No new token needed. The link was valid forever after first use.

That was an account takeover. A friend who was watching my screen said "that's dumb." The company paid $1500 for it.

– -

What I Wish Someone Told Me

Don't just test the reset. Test everything after the reset.

That's where developers forget to secure things. That's where the money is.

– -

Found a weird password reset bug before? Drop it in the comments.

If this saved you from missing a payout, clap and follow.

Want more daily bug hunting content? Connect with me on LinkedIn: https://www.linkedin.com/in/bughunter