Hi rob, I tried what you said and it does not affect the other session.
The open session stays open and is not invalidated. @all others: Thanks for all the helpful explanations; For me this is clear now and I reported this issue. Regards, Christian 2014-06-24 22:03 GMT+02:00 R D <rd.secli...@gmail.com>: > Hi all, > Yes Christian, this might be a security vulnerability, but it's an edge > case. > > To me, the problem here is the difference between the user expectation and > what really happens. > A clear case of a similar vuln is when you log out of a website and what > the website actually does is just deleting the cookies on your browser, but > not invalidating the session Id server-side (so the session is still valid > for any attacker holding onto the cookie). > In your case, you click the "forgot password" button. One might say you > have no expectation of this killing any other session you might have on the > application. But in reality, the password reset function might be used in > the case of a (suspected) account compromise; either you cannot login > because an attacker has changed your password, or you can't be bothered to > log in to change your password but you suspect someone might have gained > access to your account. In both cases this is clearly not the intended > behaviour as the attacker remains in control of your account. > > You might want to try changing your password while logged in and see if > when the password is changed this way, the other sessions are invalidated. > > Regards, > --rob' > > On Mon, Jun 23, 2014 at 9:39 PM, uname -a <sec.l...@gmx.net> wrote: > > > Yes it is a vector. > > Imagin the following: > > you go to a "friend". there you log in to your site. > > before you leave, you forgotten to logout. > > at home you change your password. > > but your friend can still use your account. > > > > greetings > > > > Am 23.06.2014 20:21, schrieb Christian K.: > > > Hi, > > > > > > i have a question if this is an attack vector (website is german want > ad > > > branch from ebay kleinanzeigen.ebay.de prob. english site affected > too): > > > > > > On Computer A the browser (FF) has an open tab with the site where, > when > > > visited, user A is always signed on (because the specific site is the > > user > > > panel). > > > > > > On Computer B user A wants to log into his account, but forgot his > > > password. He successfully changed his password using the "forgot > > password" > > > button and was able to log in. > > > > > > Then user A moves from Computer B to Computer A (which was off at the > > time > > > user A was at Computer B) and starts its browser where he realizes that > > he > > > is still logged into his account on the site without any password > > > confirmation. > > > > > > As this happend to me, the question is: is this an attack vector (I > > assume > > > it is) and how can I as a user protect myself? Am not really into > > security > > > engineering (just non-sec-related software engineering...), so forgive > my > > > dumbness! > > > > > > Thanks. > > > > > > > > > C. > > > > > > _______________________________________________ > > > Sent through the Full Disclosure mailing list > > > http://nmap.org/mailman/listinfo/fulldisclosure > > > Web Archives & RSS: http://seclists.org/fulldisclosure/ > > > > > > > _______________________________________________ > > Sent through the Full Disclosure mailing list > > http://nmap.org/mailman/listinfo/fulldisclosure > > Web Archives & RSS: http://seclists.org/fulldisclosure/ > > > > _______________________________________________ > Sent through the Full Disclosure mailing list > http://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ > _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
