- Mailing Lists
- in
- Vulnerability Report 02: Failure to invalidate session on Password Change
Archives
- By thread 3808
-
By date
- June 2021 10
- July 2021 6
- August 2021 20
- September 2021 21
- October 2021 48
- November 2021 40
- December 2021 23
- January 2022 46
- February 2022 80
- March 2022 109
- April 2022 100
- May 2022 97
- June 2022 105
- July 2022 82
- August 2022 95
- September 2022 103
- October 2022 117
- November 2022 115
- December 2022 102
- January 2023 88
- February 2023 90
- March 2023 116
- April 2023 97
- May 2023 159
- June 2023 145
- July 2023 120
- August 2023 90
- September 2023 102
- October 2023 106
- November 2023 100
- December 2023 74
- January 2024 75
- February 2024 75
- March 2024 78
- April 2024 74
- May 2024 108
- June 2024 98
- July 2024 116
- August 2024 134
- September 2024 130
- October 2024 141
- November 2024 171
- December 2024 64
Vulnerability Report 01: Failure to invalidate session on Email Change
Vulnerability Report 03:No CSRF protection on login
Vulnerability Report 02: Failure to invalidate session on Password Change
Hi team,
I am a security researcher and this time I found this vulnerability
in your website.
Vulnerability Report : Failure to invalidate session on Password Change
Weakness: Insufficient Session Expiration
Description :
I observe that when we change password from one browser in place of session
Expire from other browser its just update password from other browser and
the old session got updated without being logout
Steps to check Session Management issue On password change :
1- login From two browser at a time [ From Chrome browser and From Mozilla
Firefox ]
2- Change password in setting from chrome browser
3- Now Check Mozilla Firefox
4- Your Session Got Updated in place of expiration
Recommendations:
If Session is Updating From One Browser so Others Should Expire First to renew session after login.
Impact
If the attacker has a user password and logged in different places, As other sessions are not destroyed, the attacker will be still logged in your account even after changing password, cause his session is still active.. Malicious actor can completely access your account till that session expires! So, your account remains insecure even after the changing of password.
Please let me know if any more info is needed !
Looking after your response.
Thanks & Regards,
Through Star jet Cyber,
Afshan
Through Star jet Cyber,
Afshan
by "starjet cyber" <starjetcyber22@gmail.com> - 10:19 - 12 Aug 2024