Session Related Issue On Password Reset Function
Assalamu Alaikum
peace be upon you
Hello hackers. I hope you are well. I am Tamim Hasan a Security Researcher and Bug Bounty hunter From Bangladesh 🇧🇩.
Today I am talking about a simple bug that I found on intigriti(a bug hunting platform). It is on the password reset function.
So what is the password reset functionality?
In simple words, It is a functionality that helps the users to access their account by email/number if they forget their password.
## Steps to find
1.Log into the same account on two browser
2.Send the password reset link to your email. (account A)
3.Don’t open the password link.
4.Open your account. (account B)
5.Go to your account settings.
6.Under account, you will see Account Overview.
7.Go to the Email and password option and change the email and verify it.
8.After changing the email go to your password reset link.
9.Change the password
:)boom
See with old email password link you can successfully change the new email password
I submitted it on a bug hunting program that is hosted on intigriti and they trigger it as a low. I am not lucky enough because the bug hunting program starts paying bounty from medium types of bugs. But it is still helpful for a beginner like me😊