Easy P4 Bug : Failure to Invalidate Sessions Post Password Change

My name is Shridhar Rajaput, and as a security researcher, my days are often filled with exploration and discovery within the digital realm. Recently, I encountered a puzzling scenario that unveiled a significant flaw in session management — a flaw that could compromise user security in unexpected ways.

One ordinary afternoon, I logged into an application using my valid credentials, ready to test its functionalities. Everything seemed secure, or so I thought. With the mindset of any proactive user, I decided it was time to change my password — a standard practice that every user should follow.

Navigating to the account settings, I updated my password without hesitation. But then, curiosity struck: what happens to my active session when I change my password? Would it remain intact, or would I be logged out?

To satisfy my curiosity, I opened a new incognito window while keeping my original session active. What I found left me astonished: I was still able to access my account and perform actions seamlessly. It was as if the password change had no impact on my existing session!

This moment was eye-opening. Here was a significant security oversight — an attacker who managed to gain access to an active session could exploit this flaw, manipulating the account without the user’s knowledge or consent.

The implications of this vulnerability were grave:

Unauthorized Access: An attacker could hijack an active session post-password change, leading to potential identity theft or data breaches.Loss of Control: Users believing they had secured their accounts by changing their passwords would remain vulnerable, unaware that their old sessions were still active.

Recognizing the urgency of the situation, I documented my findings meticulously. I emphasized the necessity for the application to invalidate all active sessions immediately upon a password change. Additionally, I suggested implementing user notifications regarding active sessions, empowering users to take charge of their security.

As I submitted my report, I reflected on the lessons learned from this experience. It served as a stark reminder that even minor oversights in session management can lead to substantial vulnerabilities. As security researchers, we must remain vigilant and proactive in our efforts to safeguard user accounts.

Interestingly, when I submitted my findings, I learned that this bug had been reported before me and was marked as a duplicate. This experience reinforced the importance of collaboration in the security community, where shared knowledge can lead to stronger protections for all users.