Token Is Not Invalidated After Email Change
Weak Password Reset Implementation (Token is Not Invalidated After Email Change)
Overview of the Vulnerability
The password reset implementation needs to involve a unique, temporary high-entropy token that has a short expiry and can only be used once. When these conditions are not met, the password reset implementation is considered weak. This diminishes the strength of the overall authentication process for the application and can lead to account takeover. The application’s password reset implementation is weak as it allows an email that is no longer associated with the account to perform a password reset.
Business Impact
Weak password reset implementation can result in reputational damage for the business through the impact to customers’ trust as they could believe that the business doesn’t take their account security seriously or trust that their data within will remain secure.
If an attacker successfully takes over an account by capturing a password reset token, it can lead to data theft from the business. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application, as well as the level of access gained by an attacker.
Steps to Reproduce
Use a browser to login and navigate to: {{URL}}
Initiate a password reset
Navigate to the following URL and modify the account email address
Observe that the password reset token that was received in the earlier step is still valid
Proof of Concept (PoC)
The following screenshot shows that the password reset token is not invalidated after email change below:
{{screenshot}}
Recommendation(s)
The password reset token should be invalidated if the account email changes. Overall, the password reset implementation should conform to the following guidelines:
A secure password policy should be in place for the user to create a strong new password Password reset tokens should be long to protect against brute force guessinging attacks, linked to an individual, invalidated after use, and have a short expiry time Passwords should be stored and transmitted securely Once a user’s password has been reset, they should be prompted to login in again through the usual login portal and not automatically signed in
For more information refer to the following guide relating to this vulnerability: https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html
Last updated