I have a web app which allows users to sign in to their accounts.
When they forget their password, or when they want to confirm their email, they receive an email with a one-time link (this link has a one-time code in its query string ie example.com?code=encrypt(1234)), which expires after a given time.
Now having this link will grant you the ability to change the user's password. Is this a security threat? Every package sent to and from this webapp is non-deterministically encrypted.
My questions in short:
- Is it a problem, that I am using the same link to confirm an email, and reset the password depending on the situation?
- Is it a problem that this one-time code is being sent as an encrypted string. What I mean is if the code is actually a string such as
h4drMfH/iVSPJGP0+zFlNQw......5bqnwU7Pdbo=is there any way someone could predict the algorithm, or crack it if they know that the string codes for four digits? Ie could they work backwards to find the algorithm. Note that the result ofencrypt(123)will be different if you do it twice. - Could someone get their hands on it by using the fact that the code is part of the querystring used by my web app?
Appreciated.