Bad ISACA Password Reset Email

February 18, 2010

For those that have asked, here is the example of the bad password email issue from

To reset your password, or as in this case, to cause an email to go to someone you are targeting for interception, go here:

Then, you can simply guess their user name, (ISACA tells you if your wrong...) and get the password sent in PLAIN TEXT EMAIL to you/your victim if you have access to sniff, capture or view the email.

Here is an example of what you get in email:

Dear ISACA constituent,

Per your request, the password on your account is: PASSWORD_IN_PLAIN_TEXT

If you did not make this request for your password, please notify us by
replying to this email immediately.

Thank you.


The above email, instead of containing a reset link, as it should, contains the actual password. This is very disappointing from ISACA, of all people. Why are their web apps not audited up to the OWASP and other security standards that they teach others to check for?

They have been alerted via email to this issue.

main page ATTRITION feedback