Description
Hi there, I noticed session takeover vulnerability on python.org.
Details are as follows :
Browser I Used
- Mozilla Firefox v48
- Google Chromium v51
Operating System Used
Windows 8.1 also checked Edubuntu 14.04
Login Required
Yes
Vulnerable Link
https://www.python.org
Description
Sessions of users accounts not terminated after been password changed
Steps to reproduce issue
(You have to use two browsers here. You can use Incognito mode)
- Register an account on https://www.python.org with a valid information.
- Logged into your account with first browser
- On second browser, Login on same account and Change/Reset password.
- Now goto first browser and refresh the link i.e. https://www.python.org. You will notice that sessions are still alive and not terminated.
Possible Impact Scenario
Suppose Victim Logged into his account at internet cafe and forgot to Logout.
Suppose You are attacker and you found victims account is open on same PC. Now attacker can download 'EditThisCookie 1.4.1' Chrome extension and export/copy cookie of victims acc in text file.
Now victim get to know that someone is using his acc and he just change password.
But attacker have victims account's cookies so he can just import that cookie with 'EditThisCookie 1.4.1' and use victims account anytime because all sessions are not get terminating after password change. This may leads to miss-use of victims details and account .
Expected
All live sessions must terminate after password changed.