Passit: Session not changed after password reset

2018-04-15T09:51:47
ID H1:338518
Type hackerone
Reporter alpha66
Modified 2018-08-11T14:20:19

Description

Hey, I've found a session management in app.passit.io, which can lead to session takeover!

Issue:

When the password of an account is changed from a session, other sessions doesn't expire!

Steps To Reproduce:

1) we need to use two different browsers ex:- 1. chrome 2. safari

2) get login in both the browsers 3) after get login into both the browsers 4) change the password 5) after password change (attacker changes user info ) 6) lets check on the other browser that user info is changed or not 7) you can see user info is changed user info changed even after password change and session is still alive.

Reference:

https://hackerone.com/reports/119262

Please let me know if you have any query.

Hope you fix this ASAP

Thank You Alpha66

Impact

It is recommended that the session must have to be expire on server side when the user update his password from the application.