Reauthentication can be bypassed by simply dropping the request

Report details

• Submitted

  17 Sep 2025 09:10:13 UTC

• Target Location

  https://us.posthog.com/

• Target category

  Web App

• VRT

  Broken Authentication and Session Management > Failure to Invalidate Session > Long Timeout

• Priority

  P3

• Bug URL

  Empty

• Description

  The application has implemented a reauthentication mechanism to prevent unauthorized access to sensitive areas such as the user profile. However, this mechanism is not properly enforced and can be bypassed, allowing unauthorized access.

  Business Impact

  The website has implemented reauthentication because the data is considered sensitive, and to ensure that only the original owner can modify it. If reauthentication is successfully bypassed, anyone with access to the machine can not only view the data but also modify it, clearly defeating the purpose of reauthentication.

  Furthermore, Successful bypass of reauthentication undermines user confidence in the platform’s security. This loss of trust can hurt the brand’s reputation and disrupt normal business operations.

  Steps to Reproduce

  1. Visit https://us.posthog.com in the Burp browser and sign in to your account.
  2. Click the dropdown arrow at the top right corner.
  3. Click the settings icon next to your email.
  4. The page will prompt you to reauthenticate.
  5. Enter any arbitrary value in the password field, but don’t submit yet.
  6. Turn on Intercept in Burp and click the submit button.
  7. If Burp intercepts multiple requests, forward them one by one until you reach the /api/login/ request.
  8. Drop this request and turn off Intercept.
  9. The reauthentication page will be bypassed.
  10. Modify any data and save—it will be successfully updated.
  11. Revisit https://us.posthog.com to confirm the changes.

  Proof of Concept (PoC)

  I have attached the video demonstrating the reauthentication bypass. Let me know if anything is not clear.