Sorry, we don't support your browser.  Install a modern browser

Old Session Does Not Expires After Password Change {Weakness Insufficient Session Expiration}#559

Summary:
I discovered that the application Failure to invalidate session after password changed . In this scenario changing the password doesn’t destroys the other sessions which are logged in with old passwords.

STEPS TO REPRODUCE:

1- create account in https://birdeye.so and login in two browser [firefox an Chrome]

2- go to reset password and change it [ Firefox ]

3- you will see that session not expire. The account is still loged in with old password [ Chrome ]

Mitigation:
When some change in user password, each and every active sessions that belongs to that particular account must be destroyed!
I would like to recommend you to add a process that asks users whether user want to close all open sessions or not right after changing password.
So there is two way, either you let users to choose if they want to keep active sessions or just destroy every active sessions when an users change his/her password!
Please fix this Vulnerability and let me know. Looking forward to hear from you

Impact:
Due to this bug, there is no way for the victim to revoke access of attacker if account has been already compromised
and If attacker have user password and logged in different places, As other sessions is not destroyed, attacker will be still logged in your account even after changing password, cause his session is still active.. Malicious actor can complete access your account till that session expires! So, your account remains insecure even after the changing of password

17 days ago
Changed the status to
In Progress
17 days ago