Omise: Broken Authentication and Session Management Flaw After Change Password and Logout

ID H1:634488
Type hackerone
Reporter root_geek
Modified 2020-11-08T07:36:53



Usually it's happened that when you change password or sign out from one place (or one browser), automatically someone who is open same account will sign out too from another browser. Basically your session destroyed at server side... But in your site, it still alive..


Detail About Vulnerability and PoC on Attachment File

Noted: You can try these vulnerability in another site. (e.g,, etc). It's not alive when another has changed password and sign out

For More Information about This Vulnerability You can check OWASP Guide

Attachment Video


Account profile still can be edited even in another browser the account has signedout and changed password