- Status Closed
-
Assigned To
cbay - Private
Opened by bugtest09 - 30.03.2024
Last edited by cbay - 09.04.2024
FS#45 - Bug Title: Missing access control at password change.
Hello Web Security
Severity: Medium
Domain: https://admin.alwaysdata.com
Description :
A security researcher discovered that after resetting a password, the user was automatically logged in. As such, compromising a legitimate password reset link (via referrer token leakage or a similar issue) could lead to compromising the account since the user would not be forced to log in after resetting their password.
Proof Of Concept:
1.Go to this website:(https://admin.alwaysdata.com)
2.Send the password reset link to your email.
3.Go to your email and open the link.
4.Set a new password.
5.Boom.Automatically logged in.
Fix:
OWASP forgot password recommendations(https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet) suggest a better approach, which we have now implemented.
Thanks.
Reference :
https://hackerone.com/reports/164648 https://hackerone.com/reports/255020
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Hello,
According to your OWASP link:
As you can see, automatically logging the user in is *not* a vulnerability per se. Doing it only increases the attack surface.
Since your report isn't about an *actual* vulnerability, it's invalid.
Kind regards,
Cyril