#4
Severity: medium Participants:
isecurity upsecurit
Visibility: Public Weakness: Improper Authentication - Generic (CWE-287) Reported To: UpSecurIT

Ahmed Whitehat (isecurity)

50

Reputation

50.00

Accuracy

2018-02-25

Reported

Session is not invalidating after password reset    State: ( Resolved )

Summary:

After a password reset link is requested and a user's password is then changed, not all existing sessions are logged out automatically. Logging in with the new password doesn't invalidate the older session either: I could browse my account using two sessions (in two different browser). Steps: Suppose 2 browsers X and Y logged in to your Account using browser X. now go to browser Y . Open website and ask for password Reset Link. go to email and open the password reset link to change the password and login. go back to browser X and do any thing you want . Account is still active .


Protect your economy today!

The challenge is the speed and quality of implementation and a multidimensional strategy.

Try UpSecurIT