Omise: Broken Authentication and Session Management Flaw After Change Password and Logout

2019-07-03T15:24:20
ID H1:634488
Type hackerone
Reporter root_geek
Modified 2020-11-08T07:36:53

Description

Summary

Usually it's happened that when you change password or sign out from one place (or one browser), automatically someone who is open same account will sign out too from another browser. Basically your session destroyed at server side... But in your site, it still alive..

PoC

Detail About Vulnerability and PoC on Attachment File

Noted: You can try these vulnerability in another site. (e.g cryptfolio.com, facebook.com, etc). It's not alive when another has changed password and sign out

For More Information about This Vulnerability You can check OWASP Guide

https://www.owasp.org/index.php?title=Broken_Authentication_and_Session_Management&setlang=en

Attachment Video

https://gofile.io/?c=Vt4m42

Impact

Account profile still can be edited even in another browser the account has signedout and changed password