Habe hier diese Email bekommen. Für mich hört sich das Problem - wenn es denn eines ist - relativ akademisch an. Aber vielleicht kann jemand mit mehr technischem Background mich und vielleicht auch andere aufklären
Das ist die Mail:
Hello Team,
I am a security researcher and I provide information and knowledge regarding “Vulnerability" on websites. I have found a vulnerability on your website/domain.
ISSUE: Failure to invalidate session on Password Change.
I have observed that when we change „Password“ from one browser in place of session expiration from another browser it just updates the password from another browser and the old session gets updated without being logged out.
Steps to check Session Management issue On password change:
1- Login from two browsers at a time [From Chrome browser and from Mozilla Firefox].
2- Change password in settings from chrome browser.
3- Now Check Mozilla Firefox.
4- Your Session got „updated“ in place of expiration.
Recommendations:
If Session is Updating from one Browser so others should expire first to renew the session after login.
Impact:
If the attacker has a user password and is logged in to different places, As other sessions are not destroyed, the attacker will still be logged in to your account even after changing the password, cause his session is still active. A malicious actor can completely access your account till that session expires! So, your account remains insecure even after the changing of password.
Let me know if you have any other questions. I’m hoping to receive a bounty reward for my findings. I will be looking forward to hearing from you on this and will be reporting other vulnerabilities accordingly.
Best regards.
