Summary by Atlassian
Session is not invalidated after password reset vulnerability in Atlassian Identity
Failure to invalidate session after password reset
Disclosed by Yashodhar- Engagement Atlassian
- Disclosed date over 2 years ago
- Priority P4 Bugcrowd's VRT priority rating
- Status Informational This vulnerability is seen as an accepted business risk
Summary by Yashodhar
thank you
Report details
-
Submitted
-
Target Location
Atlassian Identity (https://id.atlassian.com/login) -
Target category
Web App
-
VRT
Broken Authentication and Session Management > Failure to Invalidate Session > On Password Reset and/or Change -
Priority
P4 -
Bug URL
https://id.atlassian.com/manage-profile/security -
Description
Hello Team.
HOW TO REPRODUCE(POC-ATTACHED VIDEO):-
1.Login in your account in two browser
2.Change password in any one browser
3.Refresh the page of another browser
you will see that other session is not logged out!
Hence, there was a failure to invalidate session on password change.Impact: If attacker have user password and logged in different places, As other sessions is not destroyed, attacker will be still logged in your account even after changing password, cause his session is still active. Malicious attacker can complete access your account till that session expire! So, your account remains insecure even after the changing of password