You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When a user changes their email ID any password reset tokens that are valid for that user should be invalidated.
Attack Scenario:
Lets say example1@example.com email is compromised and is in the hands of the attacker. The attacker requests for a password reset email, in the mean time legituser logs in to the VSP and changes the email to a secure email example2@example.com. Now the attacker can reset the password using the link that is available in example1@example.com and take over the account.
This is a very low risk issue since the reset link invalidates in an hour and requires that the email of the user gets compromised (which is out of our control).
This vulnerability has been reported through the Bug bounty program
The text was updated successfully, but these errors were encountered:
degeri
added a commit
to degeri/dcrstakepool
that referenced
this issue
Mar 16, 2019
When a user changes their email ID any password reset tokens that are valid for that user should be invalidated.
Attack Scenario:
Lets say example1@example.com email is compromised and is in the hands of the attacker. The attacker requests for a password reset email, in the mean time legituser logs in to the VSP and changes the email to a secure email example2@example.com. Now the attacker can reset the password using the link that is available in example1@example.com and take over the account.
This is a very low risk issue since the reset link invalidates in an hour and requires that the email of the user gets compromised (which is out of our control).
This vulnerability has been reported through the Bug bounty program
The text was updated successfully, but these errors were encountered: