Vulnerability Report

[Ayush Oberoi]

Vulnerable url : https://www.pidgin.im

I used two browsers to check for the broken authentication and improper
session validation. Created one account on google chrome and logged in.
Opened another browser say firefox and logged in with the same account ,
changed password there. after password has changed, returned to the old
session and reloaded . The session was not expired .

Impact
This is the most general security practice used as the dashboard has
password reset functionality. Lets say somehow an user's account was
compromised with password leak. attacker logged into your account. For
security,You log in and reset the password. If the reset doesn't invalidate
all existing sessions, the attacker still has access, as long as they don't
let their session expire.
The reset hasn't actually achieved anything in this scenario.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.pidgin.im/private/security/attachments/20191016/418d3157/attachment.html>