Hey Team,
I'm a penetration tester and bug bounty hunter. I have found a potential vulnerability in the site. Please review the report below.
Vulnerability: Broken Authentication & Session Management
We have observed that when we change "password" from one browser in place of session expiration from another browser it just updates the password from another browser and the old session gets updated without being logged out. The flows goes like this:
Broken Authentication and Session Management > Failure to Invalidate Session > On Password Change
Steps:
1- Login from two browsers at a time [From Chrome browser and from Mozilla Firefox].
2- Change password in settings from chrome browser.
3- Now Check Mozilla Firefox.
4- Your Session got "updated" in place of expiration.
Same goes with when using two different computer systems.
1- Login from two computers at a time
2- Change password in settings from computer A.
3- Now Check computer B.
4- Your Session got "updated" in place of expiration.
Recommendations: If Session is Updating from one Browser/Computer so other should expire first to renew session after login.
If you require any additional information, please let me know. I'll be waiting to hear from your side regarding the report and bounty.