Password Reset Authentication and Session Management
Hackerone had an error in how they were linking their password reset tokens with accounts. Password reset tokens where still valid after an account changed the email for the account. This could hypothetically cause a typo to turn into an account hijacking.
How To Perform
- Create an account with your primary email (firstname.lastname@example.org)
- Request an password reset (may have to log out)
- Change email address on account to secondary email (email@example.com)
- Log out
- Use password reset link send to firstname.lastname@example.org to hijack account