Failure To Invalidate Session on Password Reset - FTISP - Tutorial Boy -->

Failure To Invalidate Session on Password Reset - FTISP

 Hi Team,

While conducting my research I discovered that the application Failure to invalidate session after password. In this scenario changing the password doesn't destroy the other sessions which are logged in with old passwords.


Replication Steps:

  1. Login in your account in two browser
  2. Change password in any one browser
  3. Refresh the page of another browser.

You will see that another session is not logged out! Hence, there was a failure to invalidate the session on Password Change.


Impact:

If an attacker has a user account logged in different places, if the victim logs out of one session, the attacker will be still logged in to your account even after changing the password, cause his session is still active. A malicious actor can completely access your account till that session expires! So, your account remains insecure even after the changing of password.


Mitigation:

Once the password is changed, it should destroy all other sessions.


Kindly tell me if you need more information. I have also attached a PoC with this report.


Thank You