Hi Team,
Is there any update on this ? I'm hoping to receive a reward for the
reported bug.
Waiting for your response.
On Fri, 13 Jan 2023 at 02:08, Asad Ali <
asadali28223@gmail.com> wrote:
Hey Team,
I'm a penetration tester and bug bounty hunter. I have found a potential vulnerability in the site. Please review the report below.
Vulnerability: Broken Authentication & Session Management
We have observed that when we change "password" from one browser in place
of session expiration from another browser it just updates the password
from another browser and the old session gets updated without being logged out. The flows goes like this:
Broken Authentication and Session Management > Failure to Invalidate
Session > On Password Change
Steps:
1- Login from two browsers at a time [From Chrome browser and from Mozilla Firefox].
2- Change password in settings from chrome browser.
3- Now Check Mozilla Firefox.
4- Your Session got "updated" in place of expiration.
Same goes with when using two different computer systems.
1- Login from two computers at a time
2- Change password in settings from computer A.
3- Now Check computer B.
4- Your Session got "updated" in place of expiration.
Recommendations: If Session is Updating from one Browser/Computer so other should expire first to renew session after login.
If you require any additional information, please let me know. I'll be waiting to hear from your side regarding the report and bounty.
<div dir="ltr">Hi Team,<br><br>Is there any update on this ? I'm hoping to receive a reward forĀ <span style="background-color:rgb(255,255,0)">the reported bug.</span><br><br>Waiting for your response.<br></div><br><div class="gmail_quote"><div dir="
ltr" class="gmail_attr">On Fri, 13 Jan 2023 at 02:08, Asad Ali <<a href="mailto:
asadali28223@gmail.com">
asadali28223@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,
204);padding-left:1ex"><div dir="ltr">Hey Team,<br><br><br><br>I'm a penetration tester and bug bounty hunter. I have found a potential vulnerability in the site. Please review the report below.<br><br><br><br>Vulnerability: Broken Authentication &
amp; Session Management<br>We have observed that when we change "password" from one browser in place of session expiration from another browser it just updates the password from another browser and the old session gets updated without being
logged out. The flows goes like this:<br>Broken Authentication and Session Management > Failure to Invalidate Session > On Password Change<br>Steps:<br><br>1- Login from two browsers at a time [From Chrome browser and from Mozilla Firefox].<br><br>
2- Change password in settings from chrome browser.<br><br>3- Now Check Mozilla Firefox.<br><br>4- Your Session got "updated" in place of expiration.<br><br><br><br><br>Same goes with when using two different computer systems.<br><br>1- Login
from two computers at a time<br><br>2- Change password in settings from computer A.<br><br>3- Now Check computer B.<br>4- Your Session got "updated" in place of expiration.<br><br>Recommendations: If Session is Updating from one Browser/
Computer so other should expire first to renew session after login.<br><br><br><br>If you require any additional information, please let me know. I'll be waiting to hear from your side regarding the report and bounty.<br></div>
</blockquote></div>
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)