This issue is Broken authentication and improper session management - Failure to validate session after password change .
Host: dapp.satt.io
Severity : Low
Broken authentication and session management. Local session hijacking may occur, which could result in unauthorized access to system data or functionality, or a complete system compromise.
Usually it happens that when you change your password or sign out from one place (or one browser), automatically someone who has opened the same account will sign out too from another browser. Basically your session is destroyed at server side.
But on your site, it's still alive..
Steps to reproduce :
1) open the same account in two different browsers.
2) change the password from any one of the browsers.
3) check whether you are able to access the account on another browser or device.
4) if you can still access the account then it is broken authentication and improper session management.
Impact :
For example x user sign in to your site In his office computer / any public internet cafe / any different device or any third person's machine he forgets to logout form the device later he realized and he changed the password. But it won't affect the attacker, the session is still alive until the attacker logs out. Now what will happen is an attacker will completely access the victim's account, wallet and edit the victim's profile etc...
yesh2406
commented
2 years ago
Hi,
This issue is Broken authentication and improper session management - Failure to validate session after password change .
Host: dapp.satt.io
Severity : Low
Broken authentication and session management. Local session hijacking may occur, which could result in unauthorized access to system data or functionality, or a complete system compromise.
Usually it happens that when you change your password or sign out from one place (or one browser), automatically someone who has opened the same account will sign out too from another browser. Basically your session is destroyed at server side.
But on your site, it's still alive..
Steps to reproduce :
1) open the same account in two different browsers.
2) change the password from any one of the browsers.
3) check whether you are able to access the account on another browser or device.
4) if you can still access the account then it is broken authentication and improper session management.
Impact :
For example x user sign in to your site In his office computer / any public internet cafe / any different device or any third person's machine he forgets to logout form the device later he realized and he changed the password. But it won't affect the attacker, the session is still alive until the attacker logs out. Now what will happen is an attacker will completely access the victim's account, wallet and edit the victim's profile etc...
Best, Yesh