Insufficient Session Expiration in cortezaproject/corteza-server

Valid

Reported on

Oct 2nd 2021

Set up the cortezaproject in your local machine.

Steps:

Create the account on corteza
Login using same credentails from chrome and firefox.
Change user password from chrome.
Perform any activity in Firefox the session is still valid.

Mitigation:

After changing password, each and every active session that belongs to that particular account must be destroyed!

References

https://hackerone.com/reports/514577

We have contacted a member of the cortezaproject/corteza-server team and are waiting to hear back a year ago

takester

commented a year ago

Researcher

Any update??

takester

commented a year ago

Researcher

any update??

We have sent a third and final follow up to the cortezaproject/corteza-server team. This report is now considered stale. a year ago

Tomaž Jerman

commented a year ago

Maintainer

Thank you for reporting. We were implementing some improvements to how tokens are stored and managed. I will sync internally to see how exactly we want your exact case to look like.

Tomaž Jerman

commented a year ago

Maintainer

The reported flow holds, but we are not planning on changing it. A user has an option to revoke their sessions at any point if they decide to do so, but we will not revoke them automatically for such cases.

We might add a popup (or something) to ask the user to revoke the sessions for cases such as password changes or logout for a nicer UX (something similar to what Facebook does IIRC).

@admin should this disclosure be considered valid? For us, we would say no.

Jamie Slome

commented a year ago

Admin

Same situation here @tjerman. Feel free to mark as invalid if you do not believe this to be a security issue.

Tomaž Jerman validated this vulnerability a year ago

takester has been awarded the disclosure bounty

The fix bounty is now up for grabs

Tomaž Jerman

commented a year ago

Maintainer

The final decision reconsidered this as an issue. Thank you for the disclosure

Tomaž Jerman marked this as fixed with commit 015771 a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

takester

commented a year ago

Researcher

Thanks for bounty. Will I be getting CVE on this??

Jamie Slome

commented a year ago

Admin

@takester - if the maintainer confirms they are happy for a CVE to be published here, we can go ahead and do this for you!

takester

commented a year ago

Researcher

Okay thanks

to join this conversation

We have contacted a member of the cortezaproject/corteza-server team and are waiting to hear back a year ago

takester

commented a year ago

Researcher

Any update??

takester

commented a year ago

Researcher

any update??

We have sent a third and final follow up to the cortezaproject/corteza-server team. This report is now considered stale. a year ago

Tomaž Jerman

commented a year ago

Maintainer

Thank you for reporting. We were implementing some improvements to how tokens are stored and managed. I will sync internally to see how exactly we want your exact case to look like.

Tomaž Jerman

commented a year ago

Maintainer

We might add a popup (or something) to ask the user to revoke the sessions for cases such as password changes or logout for a nicer UX (something similar to what Facebook does IIRC).

@admin should this disclosure be considered valid? For us, we would say no.

Jamie Slome

commented a year ago

Admin

Same situation here @tjerman. Feel free to mark as invalid if you do not believe this to be a security issue.

Tomaž Jerman validated this vulnerability a year ago

takester has been awarded the disclosure bounty

The fix bounty is now up for grabs

Tomaž Jerman

commented a year ago

Maintainer

The final decision reconsidered this as an issue. Thank you for the disclosure