Active user sessions should be destroyed on password change

From Hackipedia
Jump to: navigation, search
Hackerone #10377
Target: C2FO
Target Module:
Type: Authentication
Payload:
Original: Link
CVE:
Archive Screenshot


C2FO allowed multiple session tokens for a user account and then failed to destroy them if any of the accounts would initiate a password change. This is an issue, as pointed out by faisalahmed in the ticket, because if a victim notices strange account activity one of the first actions that will be taken will be a password change. Since sessions are not destroyed the attacker will be able to retain control of the account.

How To Perform

  1. Log into same account with two different browsers (i.e. Chrome and Firefox)
  2. Change the password to the account in one browser
  3. Check for session destruction in other browser