Legal Robot: Missing access control at password change

2016-08-31T07:07:55
ID H1:164648
Type hackerone
Reporter attacker911
Modified 2017-09-11T21:45:49

Description

A security researcher discovered that after resetting a password, the user was automatically logged in. As such, compromising a legitimate password reset link (via referrer token leakage or a similar issue) could lead to compromising the account since the user would not be forced to log in after resetting their password. OWASP forgot password recommendations suggest a better approach, which we have now implemented. Thanks to @attacker911 for another great report!