Hello, On Tue, May 19, 2026 at 11:53:47PM +0500, Farhana wrote: > Hey Team, > > My name is Farhana and I'm a penetration tester and bug bounty hunter. I've > reported one of my findings so that you can review it, as well as fix this > issue. > > Please review the report below. > > *Vulnerability: Broken Authentication & Session Management* > We have observed that when we change "password" from one browser in place > of session expiration from another browser it just updates the password > from another browser and the old session gets updated without being logged > out. The flows goes like this: > *Broken Authentication and Session Management > Failure to Invalidate > Session > On Password Change* > *Steps:* > 1- Login from two browsers at a time [From Chrome browser and from Mozilla > Firefox]. > 2- Change password in settings from chrome browser. > 3- Now Check Mozilla Firefox. > 4- Your Session got "updated" in place of expiration. > > *Same goes with when using two different computer systems.* > 1- Login from two computers at a time > 2- Change password in settings from computer A. > 3- Now Check computer B. > 4- Your Session got "updated" in place of expiration. > > Recommendations: If Session is Updating from one Browser/Computer so other > should expire first to renew session after login. > > If you require any additional information, please let me know. I'll be > waiting to hear from your side regarding the report and bounty. I'll share > my other findings as well, once I've heard back from you.
I think you're reporting this to the wrong place as there's no such a thing as login nor password nor even session management here I'm afraid. Thanks, Willy
