Passit: Session not changed after password reset

ID H1:338518
Type hackerone
Reporter alpha66
Modified 2018-08-11T14:20:19


Hey, I've found a session management in, which can lead to session takeover!


When the password of an account is changed from a session, other sessions doesn't expire!

Steps To Reproduce:

1) we need to use two different browsers ex:- 1. chrome 2. safari

2) get login in both the browsers 3) after get login into both the browsers 4) change the password 5) after password change (attacker changes user info ) 6) lets check on the other browser that user info is changed or not 7) you can see user info is changed user info changed even after password change and session is still alive.


Please let me know if you have any query.

Hope you fix this ASAP

Thank You Alpha66


It is recommended that the session must have to be expire on server side when the user update his password from the application.