Password Change not notified when changed from settings
State Informative (Closed)
Disclosed publicly 2019-02-08T19:09:55.689Z
Reported To
Weakness Unverified Password Change

submitted a report to Starbucks .


Password change is not notified to the account owner if its made from the account settings. This is very crucial as once the account is compromised, the attacker can change the password without giving any clue to the victim.

Steps to reproduce the issue:

  1. Sign in with a valid username and password to
  2. Go to your settings and personal info.
  3. click change your password
  4. Change your password
  5. Looks for notification in your email.
  6. No emails are sent.

Can be reproducible with all valid accounts.

Password changed via the forgot password reset flows are notified while this notification is missing.



  • 0 attachments:
karthik87mit Activities::Comment
@starbucks I also noted this behavior in your website In this case it does not send password notification both via the password reset flow and also from the settings flow. Steps to reproduce the issue: Sign in with a valid username to Click forgot password and submit the registered email address Reset password link will be sent to your email Click on the link Enter and change your password Confirm your password Looks for notification in your email. No emails are received. This is more risky as the user is unaware if the account is compromised. It also allows me to set the same password as new password which is again not the right practice from a security point of view. Please let me know if you need more information on this.

joystick Activities::BugInformative
Hi, Thank you for your report. This is rather a best practice than a is a security vulnerability per se. As a result, we do not think this meets the bar for a security concern and it's not eligible for this bug bounty program. Regards.

karthik87mit Activities::Comment
It is indeed a security vulnerability. Without notification password change is dangerous. Look at this following report accepted as a vulnerability in hackerone

karthik87mit Activities::Comment
Can you reconsider this resolution?

karthik87mit Activities::Comment
@starbucks please reply.

joystick Activities::Comment
Hi - As I said before this a security best practice and not a flaw. Not implementing this does not mean user account would get compromised somehow. Thanks for the effort and time you put into this! Looking forward to more reports from you.

karthik87mit Activities::AgreedOnGoingPublic

karthik87mit Activities::Comment
Can we do a public disclosure please?

karthik87mit Activities::Comment
@starbucks @joystick any updates please?

overice Activities::ChangedScope

overice Activities::AgreedOnGoingPublic

overice Activities::ReportBecamePublic