A Password Reset Gone Wrong: Credentials Leaked via Raw Email - 2026

Second bug found in the wild!!!

Background

This bug was found on the same site i found my first bug, and it was found while testing the password reset functionality.

A Standard Password Reset

Viewing the Email in Raw Format

When a Header Contains More than Metadata

Why "It's Just a No-Reply Account" Still Matters

Responsible Disclosure

Remediation

1. Removing Credentials from Email Configurations

2. Proper Authentication for Mail Services