Cross domain token based multifactor scheme on job application site
I recently got the following error on a redirect scheme I was already suspicious about:
The site is a job application site from a company called MindPal. I have moderate intuition about how tokens are passed around a backend, which made me notice an irregularity in the following UX scheme:
- I applied to two jobs without authenticating on (app.mindpal.co)
- I got a confirmation email
- I got an email from a different domain name (possible cross-domain tenancy) from mindpal.info
- I went back to authenticate to app.mindpal.co and created my account
- I got another email from mindpal.info saying "You have already applied with us", with an activation link that I pasted above, which got blocked
Thereafter, I checked the registrar information using
whois and noticed a few differences between
mindpal.info , which I can't assess all that well.
I am wondering why they are implementing a "click to activate your profile" link from a different domain soon after which you are asked to create your password for the first time. It seems this would be vulnerable to numerous XSS or other injection types.
I will attach below images of the emails. Is this not excessive UX declaration? Adding some constraints to the available functionality might increase the security, of course at the cost of ease of use. Had the Bitdefender error not appeared I would not have minded as many user interfaces these days are "click and don't think with extra animations". 😄
P.S: I also tried refreshing my VPN certificates from different connections in between operations as I was noticing the bitmask differences.