Hi Team, Is there any update on this ? I'm hoping to receive a reward for the reported bug.
Waiting for your response. On Fri, Dec 30, 2022 at 5:46 AM Asad Ali <asadali.282...@gmail.com> wrote: > Hey Team, > > > > I'm a penetration tester and bug bounty hunter. I have found a potential > vulnerability in the site. Please review the report below. > > > > Vulnerability: Broken Authentication & Session Management > We have observed that when we change "password" from one browser in place > of session expiration from another browser it just updates the password > from another browser and the old session gets updated without being logged > out. The flows goes like this: > Broken Authentication and Session Management > Failure to Invalidate > Session > On Password Change > Steps: > > 1- Login from two browsers at a time [From Chrome browser and from Mozilla > Firefox]. > > 2- Change password in settings from chrome browser. > > 3- Now Check Mozilla Firefox. > > 4- Your Session got "updated" in place of expiration. > > > > > Same goes with when using two different computer systems. > > 1- Login from two computers at a time > > 2- Change password in settings from computer A. > > 3- Now Check computer B. > 4- Your Session got "updated" in place of expiration. > > Recommendations: If Session is Updating from one Browser/Computer so other > should expire first to renew session after login. > > > > If you require any additional information, please let me know. I'll be > waiting to hear from your side regarding the report and bounty. > -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
