InVision: ███████

2014-10-31T15:04:48
ID H1:33385
Type hackerone
Reporter frozen
Modified 1970-01-01T00:00:00

Description

hiiii Password reset tokens are still valid if I logged in the account and change the password and after the use the password reset token.

Steps to reproduce 1.Use the password reset option of InVision and you will get a password reset token on your registered email don't use it now

2.log into your account and change the password.

Now use The password reset token which you got before on the email and thats it THE PASSWORD RESET TOKEN IS STILL VALID AFTER CHANGING THE PASSWORD.

MITIGATION

1.All unused token should be expire after the issuance of new token. 2.All unused tokens should be expire after the user change its password by successfully logging in his account. 3.all unused token should expire when user successfully login to the account

thanks and regards Jitendra K Singh