Severity: Low Bug ID: 724 Researcher: testingcs Status: Disclosed Submitted: 04/24/2016 Description: SESSION TAKEOVER bug in CROWDSHIELD.
In this bug even after changing the password, user's session DOES NOT EXPIRE on other devices.
Affected URL: https://crowdshield.com
Steps to Reproduce the BUG:
1) I have logged into two different browser with same password (the password is qwertyuiop2)
2) Now I am changing the password in one of the browser (new password is qwertyuiop3)
3) NOW EVEN AFTER CHANGING THE PASSWORD MY SESSION IN ANOTHER BROWSER IS STILL ALIVE.
DANGER associated with this bug is that an ATTACKER can hijack the session and account of the VICTIM
Bug Recommendation: MUST EXPIRE THE SESSION AS SOON AS THE USER LOG OUT.
submitted a Session Security and Cookies bug to CrowdShield
Hi, thanks for the info and video.. this appears to be valid so we're looking into a fix now.
awarded 5 points to testingcs for a Session Security and Cookies bug
closed a Session Security and Cookies bug submitted by testingcs
disclosed a Session Security and Cookies bug submitted by testingcs