Session Fixation in alovoa/alovoa

Valid

Reported on

Sep 16th 2021


Description

On changing password both session using which user changes password and old sessions in any other browser or device does not expire and remains active.

Proof of Concept

STEPS TO REPRODUCE:

  1. Log in to Browser A and make sure to check 'stay logged in to this device' checkbox while logging in.
  2. From Browser B login to your account and change password Notice that Session on Browser Awill remain active and does not expire.

Impact

The session doesn't expire even after the victim changes the password. Due to this bug, there is no way for the victim to revoke access of attacker if account has been already compromised.

We have contacted a member of the alovoa team and are waiting to hear back a year ago
Nho Quy Dinh validated this vulnerability a year ago
Raptor has been awarded the disclosure bounty
The fix bounty is now up for grabs
Nho Quy Dinh confirmed that a fix has been merged on 05cc2b a year ago
Nho Quy Dinh has been awarded the fix bounty
to join this conversation