• zaphod@sopuli.xyz
    link
    fedilink
    arrow-up
    33
    ·
    3 months ago

    It’s quite simple actually: The user wanted to delete their account, but forgot their password so they requested a password reset. Before the password reset email was delivered, the user remembered their password and deleted their account. The password reset email is finally delivered and apparently some email clients open all the links in the background for whatever reason, so it wasn’t actually the user who clicked the password reset link.

      • TedvdB@feddit.nl
        link
        fedilink
        arrow-up
        33
        ·
        3 months ago

        Yes, e.g. outlook replaces links in mails so they can scan the site first. Also some virusscanners offer nail protection, checking the site that’s linked to first, before allowing the mail to end up in the user’s mail client.

        Thats why you never take actions on a GET request, but require a form with button for the user to do a POST.

      • Malix@sopuli.xyz
        link
        fedilink
        arrow-up
        18
        ·
        edit-2
        3 months ago

        Yep. Apparently outlook does this and afaik because some kind of link sniffing/scam detection/whatever, but it does it by changing the first characters of each query argument around.

        We spent amazingly long time figuring that one out. “Who the hell has gotten Microsoft service querying our app with malformed query args and why”