Hall of Fame Hall of Fame Certificates Security Policy
Back to Hall of Fame

Bug Report: Failure to Invalidate Session After Password Change+ No User Notification After Password Change

Insecure Session Management Aug 25, 2025

Researcher: Vedant lastname

Description

Severity: 🔴 Critical
This is a chained business logic vulnerability involving two interconnected flaws:

Sessions are not invalidated after a password change.
Users are not notified when their password is changed.

Together, these issues enable stealthy account takeover and prolonged unauthorized access.


Reported by:
Hi, I'm Vedant tanaji vhatkara, a security researcher passionate about identifying business logic flaws and improving user safety across digital platforms. I discovered this issue during routine testing and believe it poses a serious risk to user accounts and platform integrity.



Summary:

The application fails to invalidate active sessions after a user changes their password and does not notify the user of the change. This combination allows attackers with session access to retain control of the account and conceal their activity from the legitimate user.
Video poc :Video poc:https://drive.google.com/file/d/1f1FAmCCgQLfzcquS-f0ZM6H5GZhIc57I/view?usp=drive_link

Reported on: Aug 25, 2025

Impact

Impact: Silent Account Takeover: Attackers can retain access without triggering suspicion. No Audit Trail: Users are unaware of critical changes to their account. Security Blind Spot: The system fails to treat password changes as high-risk events. Compliance Violation: May breach security standards (e.g., OWASP, GDPR, ISO 27001).

Suggested Fix

Suggested Fixes: Invalidate all sessions except the one initiating the password change. Send immediate email and/or in-app notification to the user. Log the event in the user’s account activity. Offer session/device management to allow users to monitor and revoke access.
Vedant lastname

Vedant lastname