Active user sessions should be destroyed on password change
C2FO allowed multiple session tokens for a user account and then failed to destroy them if any of the accounts would initiate a password change. This is an issue, as pointed out by faisalahmed in the ticket, because if a victim notices strange account activity one of the first actions that will be taken will be a password change. Since sessions are not destroyed the attacker will be able to retain control of the account.
How To Perform
- Log into same account with two different browsers (i.e. Chrome and Firefox)
- Change the password to the account in one browser
- Check for session destruction in other browser