Help get this topic noticed by sharing it on Twitter, Facebook, or email.
I’m scared, frustrated

Passwords

It turns out anyone can change any users password.  It's simple, just go to the forgot password site https://www.myliftmaster.com/Account/ForgotPassword and enter an email address.  If that email address happens to be tied to an account then the system will reset the password and email the user a new password.

The problem here is that now any login session you already have is now trashed and you'll have to login again.  Give it a try, if you're logged into the app just enter your email address into the field and the app will kick you out and you won't be able to get back in until you use the new password.

This is bad on yet another level - sending the users password in the clear.  Any jane or joe who sees internet traffic can and will see that password reset email with both your email and new password in plaintext for anyone to see.

With all that said this is the scary part:  Someone can not only reset your password and lock you out of your account but with a little knowhow they can also see your new password and have full control of your myQ connected devices.
1 person has
this problem
+1
Reply