Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add "Token is Not Invalidated After Login" variant under "Weak Password Reset Implementation" #89

Closed
tasandberg opened this issue Sep 19, 2017 · 0 comments · Fixed by #95
Closed

Add "Token is Not Invalidated After Login" variant under "Weak Password Reset Implementation" #89

tasandberg opened this issue Sep 19, 2017 · 0 comments · Fixed by #95
Labels
enhancement
Milestone
v1.4

Comments

@tasandberg
Copy link

tasandberg commented Sep 19, 2017
edited
Loading

Explanation

This is a low-impact but sub-optimal behavior for PW reset flows. The scenario is as follows:

  1. User requests PW reset
  2. User remembers password and logs in normally
  3. PW reset is NOT validated, and the token/link remains valid for the usual duration

The fix would be making sure to invalidate any outstanding PW reset token when the user logs in.

This would be a P5, nested like so:
Insufficient Security Configurability > Weak Password Reset Implementation > Token is Not Invalidated After Login
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Milestone
v1.4
Development

Successfully merging a pull request may close this issue.

Add 'Token is Not Invalidated After Login' variant bugcrowd/vulnerability-rating-taxonomy
2 participants
@tasandberg @plr0man