Closed Bug 1268631 Opened 8 years ago Closed 7 years ago

session Hijacking

Categories

(Webmaker Graveyard :: General, defect)

Product:
Webmaker Graveyard
Component:
General
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INCOMPLETE

People

(Reporter: eldeebxboy, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0
Build ID: 20160407164938

Steps to reproduce:

Hello Mozilla team i found session hijacking(takeover) in https://teach.mozilla.org/

steps to reproduce
1.login to your account from tow device 
2.change your password from one of them
3.the tow devices still working and your password changing not logout the other session

(Password change not terminating other open sessions.) this will lead to Session Takeover vulnerability.
when the user change his password the other open session should expire.
Thanks


Actual results:

the actual results is when the user change his password all other opened session still worked 


Expected results:

when the user change his password all other session should ended to protect users accounts from session takeover vulnerability
Component: Security Assurance: Applications → General
Product: mozilla.org → Webmaker
QA Contact: brett
Version: other → unspecified
Closing this bug as part of the Deprecation of the Webmaker Product on Bugzilla. If this issue needs to re resolved in another manner, re-file it in a new Product or find the associated project on Github (http://github.com/mozilla) and file an issue there.

see bug 1347718
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.