Logic Bug | Old Session Does Not Expires After Password Change

6 months ago 15
BOOK THIS SPACE FOR AD
ARTICLE AD

Saeid Khater

Overview of the Vulnerability:

While I was researching, I discovered that the application had a vulnerability where sessions would not be revoked after a password change. In this scenario, when the user changes the password, other sessions that were signed in with the old password are not cancelled.

Vulnerability flow

Steps:

Login with the same account in Chrome and Firefox Simultaneously using the URL: https://www.Redecated.gov/log-in/Change the password in Chrome Browser using the URL: https://www.Redecated.gov/account/profile/passwordGo to firefox (attacker session) and Update any information, the information will be updated

Impact:

If the user logs into any device in an Internet café or public place and forgets to log out of his account, and tries to change his password, the attacker will still have access to his account.If the attacker has a user password and logged in different places, As other sessions are not destroyed, the attacker will be still logged in to your account even after changing the password, cause his session is still active. A malicious actor can complete access your account till that session expires! So, your account remains insecure even after the changing of password.

Unfortunately, over long periods of time, they are all Duplicated, but the time difference between my sending and the first report is only a few hours in most of them :(

Read Entire Article