Gener8: Session not invalidated after password reset

2020-07-06T18:51:03
ID H1:917213
Type hackerone
Reporter 5hu8h4m_n4g4
Modified 2020-08-18T08:53:29

Description

After a user performed a password reset, all their active refresh tokens were not invalidated. This could allow an adversary with access to a valid refresh token to regain control of a victim's account, subsequent to a password reset being completed.