Account access with old password
HackerOne report #437194 by rogov on 2018-11-08:
Hi!
Summary: Account access with old password
Description: Vulnerability can allows to access of account with old password under certain conditions.
Steps To Reproduce:
- We have to login in account that have 2FA Security. ( just login:password, 2FA confirmation window do not touch. )
- Open new window, where we login in account and change the password. And we’ll see that this log out us of our account.
- We return to the window with 2fa confirmation, and look that session with old password is alive. To finally check it out, just enter the 2fa code and see that its allow us into the account with the session with the old password.
Supporting Material/References:
Nothing to add :)
Impact
Account access with old password