Weblate: [hosted.weblate.org]Account Takeover

ID H1:223637
Type hackerone
Reporter mga_bobo
Modified 2017-05-17T14:09:10


Hello Team,

Steps to Reproduce:

  • Go to Login Page
  • Reset Your Password by Clicking Reset it.
  • Put your email and answer the captcha.
  • Go to your email and click your reset Link.
  • You dont need to Change Your Password because you'll be logged in.

Scenario Victim forgot to logout his/her Email Account on a Cafe/Internet Renting Shops. The Attacker Click the Reset Password link and because that Improper InValidation of Session on Password Reset Links lies in there. Attacker can gain access to Victim's Account.

Let me know if you need more information.

Best Regards,