HackerOne: Category- Broken Authentication and Session Management (leads to account compromise if some conditions are met)

2014-06-23T19:33:37
ID H1:17383
Type hackerone
Reporter appsecure_in
Modified 2014-07-26T07:34:59

Description

Hi,

Hope you are good!

Steps to repro: 1) Create a HackerOne account having email address "a@x.com". 2) Now Logout and ask for password reset link. Don't use the password reset link. 3) Login using the same password back and update your email address to "b@x.com" and verify the same. 4) Now logout and use the password reset link which was mailed to "a@x.com" in step 2. 5) Password will be changed.

All previous password reset links should automatically expire once a user changes his email address. Please let me know if this can be fixed.

Best Regards Anand Prakash