- Status Closed
-
Assigned To
cbay - Private
Opened by nhlimon - 18.10.2025
Last edited by cbay - 20.10.2025
FS#231 - Bug Bounty Report: No IP, Geo, or Device Context Binding for Sessions
Summary:
The session management does not include any IP address, geolocation, or device fingerprinting checks. Once a session token is obtained, it can be replayed from any device, browser, or country, allowing attackers to bypass contextual integrity checks and maintain unauthorized access.
Steps to Reproduce:
Log in to alwaysdata.com and capture the session token (e.g., via browser DevTools or proxy).
Move to a different device, browser, or VPN geolocation.
Replay the captured token (e.g., by importing cookies or using the token in API headers).
🎯 Result: The session remains valid — no reauthentication, MFA challenge, or warning is triggered.
Impact:
Allows session hijack from another country or device without detection.
No context-aware defense such as:
IP or ASN consistency checks
Browser/device fingerprinting
Geo-velocity anomaly detection
Supports stealthy unauthorized access, even if login alerts or 2FA are present.
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Hello,
Yes, and we do not consider this a vulnerability.
Kind regards,
Cyril