sхс
Легенда
Если вам придет подобное сообщение - не отвечайте. Его рассылает бот и в случае ответа, вашим сайтом плотно займется псевдо этичный хакер заливая на него эксплойты и вымогая N-ую сумму.
Текст отлично гуглится
Текст отлично гуглится
Hey Team,
I'm a penetration tester and bug bounty hunter. I have found a
potential vulnerability in the site. Please review the report below.
Vulnerability: Broken Authentication & Session Management
We have observed that when we change "password" from one browser in
place of session expiration from another browser it just updates the
password from another browser and the old session gets updated without
being logged out. The flows goes like this:
Broken Authentication and Session Management > Failure to Invalidate
Session > On Password Change
Steps:
1- Login from two browsers at a time [From Chrome browser and from
Mozilla Firefox].
2- Change password in settings from chrome browser.
3- Now Check Mozilla Firefox.
4- Your Session got "updated" in place of expiration.
Same goes with when using two different computer systems.
1- Login from two computers at a time
2- Change password in settings from computer A.
3- Now Check computer B.
4- Your Session got "updated" in place of expiration.
Recommendations: If Session is Updating from one Browser/Computer so
other should expire first to renew session after login.
If you require any additional information, please let me know. I'll be
waiting to hear from your side regarding the report and bounty.
I'm a penetration tester and bug bounty hunter. I have found a
potential vulnerability in the site. Please review the report below.
Vulnerability: Broken Authentication & Session Management
We have observed that when we change "password" from one browser in
place of session expiration from another browser it just updates the
password from another browser and the old session gets updated without
being logged out. The flows goes like this:
Broken Authentication and Session Management > Failure to Invalidate
Session > On Password Change
Steps:
1- Login from two browsers at a time [From Chrome browser and from
Mozilla Firefox].
2- Change password in settings from chrome browser.
3- Now Check Mozilla Firefox.
4- Your Session got "updated" in place of expiration.
Same goes with when using two different computer systems.
1- Login from two computers at a time
2- Change password in settings from computer A.
3- Now Check computer B.
4- Your Session got "updated" in place of expiration.
Recommendations: If Session is Updating from one Browser/Computer so
other should expire first to renew session after login.
If you require any additional information, please let me know. I'll be
waiting to hear from your side regarding the report and bounty.