Contact me for POC video.
When someone forget his/her password, each and every active sessions that belongs to that particular account must be destroyed!
I would recommend you to follow Facebook on this security issue.. They fixed this issue few months back by adding a process that asks users whether user want to close all open sessions or not right after changing password.
So there is two way, either you let users to choose if they want to keep active sessions or just destroy every active sessions when users change his/her password!
In this case 4 issue will be happen
Issue 1: Forced Browsing
Issue 2: Parameter Modification
Issue 3: Session Identifier Prediction
Issue 4: SQL Injection within Login Forms
Please think about this. This is very harmful for your site.
I look forward to hearing from you!
Thanks and Best Wishes.
Attacker will be still logged in your account even after changing password, cause his session is still active.. he'll have complete access on your account till that session expires! Also Attacker can do anything on your account.In summary, authentication bypass is an important area to focus on during a penetration test. Bypasses can come in many forms and often arise due to poor implementations such as placing trust in client side data, utilizing weak tokens or being careless with database queries and not using prepared statements.
Please contact me on may personal mail : firstname.lastname@example.org
What Main Domain are you talking about ?i am a bug hunter 'i wanna report a bug your main domain....
And why on Earth should someone contact an anonymous GMail Address holder,
to then talk about possible security Issues ?
I am no longer active at the Forum. Please do NOT send me Personal Mails,
they will no longer be replied to.
My Github OC Site: https://github.com/IP-CAM
3'780 FREE OC Extensions, on the World's largest Github OC Repository Archive Site.
Users browsing this forum: No registered users and 6 guests