Security vulnerabilities

  • Status Closed
  • Assigned To
    cbay
  • Private
Attached to Project: Security vulnerabilities
Opened by waloodi_109 - 15.10.2025
Last edited by cbay - 16.10.2025

FS#223 - Failure to invalidate session after logout from 2nd tab

#Failure to invalidate session after logout from 2nd tab.

Hello Team,

I hope you are doing well. While Researching in your domain I found Failure to invalidate session after logout from 2nd tab vulnerability in your domain. Attacker can view token and any sensitive data.

This Vulnerability found in:
1. admin.alwaysdata.com
2. webmail.alwaysdata.com

#Steps to Reproduce:

1. Login to admin.alwaysdata.com
2. Open another tab and copy the login account URL and paste into 2nd tab.
3. Go to profile option into 1st tab or any other sensitive data page.
4. Logout your account from 2nd tab and then visit to 1st tab, don't refresh that page, so you can see that page is still active and attacker can see victim details or any sensitive data.

Impact:

If a user login their account in café or in a office, Victim open another tab for doing their work and then logout the account in that tab. Victim assume that the account are logged out and victim forget to close the browser but into 1st tab, victim account are still logged in and attacker can view any sensitive data and token or any bank details.

#Note:

I can make a one video for both('admin.alwaysdata.com','webmail.alwaysdata.com')

Thank You,

Waleed Anwar

   bandicam 2025-10-16 02-30-07-... (6.37 MiB)
Closed by  cbay
16.10.2025 13:07
Reason for closing:  Invalid
waloodi_109 commented on 16.10.2025 13:03

Any Update Sir?

Admin
cbay commented on 16.10.2025 13:07

Hello,

That's completely standard web behaviour.

Kind regards,
Cyril

waloodi_109 commented on 16.10.2025 13:09

I tested this in LinkedIn and different websites, there session are directly terminated if i logout from second tab

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing