Posts

Showing posts from February, 2018

The curious case of hidden form fields changing their value....

So today I was looking into an odd issue our CEO experienced using a website. He would get a password reset email and upon following the link and entering a new password it would fail to change with a cryptic message.

I said I'd have a quick look and see what I could see. I signed up and triggered a password reset and found no issue. I was using Chrome and assumed he had but it turns out he was using Safari on his Mac not Chrome. So I loaded up Safari on my Mac and used my link to again find no issue.

To be thorough I asked him to send me his link, in Chrome no issue however this time in Safari I hit the issue. My first thought led me to then check what was posted to the server and sure enough in Chrome I could see an encoded access token sent but in Safari I saw my email address sent. I tried this on my CEO's machine and his machine posted his email address, it looked like Safari was autofilling hidden form fields as well as visible ones!

This is crazy!

So I performed a quick…