i reported a vulnerability on bug crowd from my account : . its about a more then month its status changed to triaged but still no update form your side. And no reward for my finding . Can you please check the status. It was sumitted on 2017-01-19. this was the issue basically.
Hi i found a vulnerability in your site and i observe that when we request a password reset link for the account and now login to the same account. In place of session expire after the login but the password reset link opens up and the password will be changed.
Bug Type : Session Management issue
Reproducing Steps :
1- Get Password Reset link for
2- Don't use the password reset link yet.
3- Now Login to the
4- Now Use the password reset which we generated it opens up.
5- And The Password Changed Successfully.
Password Reset Link should Expire when you login on the 3rd Step
Hi @HusnainI4. Thanks for reaching out to us. I see what you mean by the password reset link still being active after you log into the account. The password reset link that you receive does stay active for 24 hours after it has been sent so that is why you were still able to access it. I apologize for any confusion or concern this may have caused you. I will note this feedback in your account and send it over to the appropriate team.