I have a general question about password reset messages.
If I receive an email with a plain text generated password (in response to a password reset request), is this a vulnerability? The password expires after one use, in other words the user has to change their password as soon as they register.
I could imagine that such an password reset scheme would at least be vulnerable to a man in the middle attack. The man in the middle could get the temp password and then lock out the user with a new password. But is there perhaps another vulnerability?
The man in the middle, or the system that sent you the password, or any personell at that system, could use the password for its own nefarioius purposes, including value transactions against your account.