July 4, 2026
How I Found an Account Takeover (ATO) in Swisscom
Password Reset Token Reuse → Account Takeover

By m0ro23
1 min read
Password Reset Token Reuse → Account Takeover
Target
example.swisscom.com
Vulnerability Type
Broken Authentication - CWE-287
Summary
When you request a password reset, the app sends you a token by email. The problem is old tokens never get killed off. Every reset request generates a brand new token, but the previous ones stay active forever. So even after you successfully reset your password with the newest token, any older token from a past email still works and can reset the password again.
Steps to Reproduce
- Request a password reset. You get Token 1 in your email.
- Request another password reset. You get Token 2.
- Use Token 2 to reset the password. It works, password is changed.
- Go back to the first email and grab Token 1.
- Use Token 1 on the reset endpoint.
- It still works. You can change the password again with an "old" token that should have been dead.
Impact
This basically means a reset token never really expires unless there's a separate time-based expiry doing the job (and even then, it's usually way too long). If an attacker ever gets hold of any reset email, old or new, they have a permanent way back into the account:
- Changing your password doesn't stop the attacker's older token from working.
- Requesting a new reset doesn't cancel the old ones either.
- One leaked email, at any point in time, is a standing account takeover.
Since this is a booking/entertainment platform, this exposes personal data, saved payment info, and booking history.
Root Cause
Each token is treated as its own independent thing. There's no logic that says "once one token gets used, kill all the others" or "once a new token exists, the old one is dead."
Fix Recommendations
- Invalidate every other token the moment one is successfully used.
- Invalidate old tokens automatically whenever a new reset is requested.
- Keep token expiry short, 15–30 minutes max.
- Log out all active sessions after a password reset.
- Mark tokens as single-use in the database and flip that flag the second they're consumed, don't just rely on timestamps.