Reset password email can be exploited

[jwag956]

From SO:

I have a flask application running on a production environment, and one of the user requested a password reset, which sent out an email to them with a link back to the site for resetting the password.

That email got shared with a third-party probably, and the link got exposed. Now the reset request is being spammed from multiple IP addresses. There is a timer I set using the SECURITY_RESET_PASSWORD_WITHIN config parameter to 30 mins and I can see that it does work as intended, the link is invalidated and throws an error saying the link has expired.

But the default behavior of the Flask-Security package is to re-send the reset email to the user if the token has expired when doing a GET request to the reset page with the expired token. So someone can keep spamming that expired link using GET /reset/token_id and the user keeps getting sent reset emails.

Basically - the default behavior shouldn't be to keep resending the email. Better would be to let them request 'resend email' or something like that.

It is true however, that as soon as the user DOES reset their password - the link goes from expired to invalid and no more emails are sent.