Session not invalidated after password reset
Medium
G
Gener8
Submitted None
Team Summary
Official summary from Gener8
After a user performed a password reset, all their active refresh tokens were not invalidated. This could allow an adversary with access to a valid refresh token to regain control of a victim's account, subsequent to a password reset being completed.
Actions:
Reported by
5hu8h4m_n4g4
Report Details
Additional information and metadata
State
Closed
Substate
Resolved
Submitted
Weakness
Violation of Secure Design Principles