Session Fixation in alovoa/alovoa
Sep 16th 2021
On changing password both session using which user changes password and old sessions in any other browser or device does not expire and remains active.
Proof of Concept
STEPS TO REPRODUCE:
- Log in to Browser
Aand make sure to check 'stay logged in to this device' checkbox while logging in.
- From Browser
Blogin to your account and change password Notice that Session on Browser
Awill remain active and does not expire.
The session doesn't expire even after the victim changes the password. Due to this bug, there is no way for the victim to revoke access of attacker if account has been already compromised.