Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Lack of Cache Control Leads to Privacy Risk under Rare Circumstance #51

Open
abhisek opened this issue Jun 23, 2020 · 0 comments
Open

Comments

@abhisek
Copy link
Member

@abhisek abhisek commented Jun 23, 2020

Reported to security team:

Hi Team,

Vulnerability class: Business logic Failure - Browser cache management and logout vulnerability.

Vulnerability Impact: Logging out from an application does not clear the browser cache of any sensitive information that has been stored.

Steps to reproduce:

1. Login to portal.
2. Browse a few tabs
3. Click Logout
4. Click the browser back button you should able to see the previous page and not only the previous page but also viewed pages in the portal by clicking back button Please find the POC attachment below.

Please refer the POC attached,

Thanks and Regards,
Venkat Malla

We are considering this as:

  • Privacy risk under rare circumstances as almost all info in post-auth pages are public anyway, except email address, which may be affected only if an attacker has access to browser cache of a victim.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant