Password Change not notified when changed from settings
State Informative (Closed)
Disclosed publicly 2019-02-08T19:09:55.689Z
Reported To
Weakness Unverified Password Change
Bounty
Collapse


Timeline
submitted a report to Starbucks .
2017-06-24T08:34:18.654Z

Hi,

Password change is not notified to the account owner if its made from the account settings. This is very crucial as once the account is compromised, the attacker can change the password without giving any clue to the victim.

Steps to reproduce the issue:

  1. Sign in with a valid username and password to www.starbucks.com
  2. Go to your settings and personal info.
  3. click change your password
  4. Change your password
  5. Looks for notification in your email.
  6. No emails are sent.

Can be reproducible with all valid accounts.

Password changed via the forgot password reset flows are notified while this notification is missing.

Thanks,
Karthik

Regards,
Frans

  • 0 attachments:
karthik87mit Activities::Comment
2017-06-24T14:40:40.919Z
@starbucks I also noted this behavior in your website https://www.teavana.com. In this case it does not send password notification both via the password reset flow and also from the settings flow. Steps to reproduce the issue: Sign in with a valid username to https://www.teavana.com Click forgot password and submit the registered email address Reset password link will be sent to your email Click on the link Enter and change your password Confirm your password Looks for notification in your email. No emails are received. This is more risky as the user is unaware if the account is compromised. It also allows me to set the same password as new password which is again not the right practice from a security point of view. Please let me know if you need more information on this.


joystick Activities::BugInformative
2017-06-24T14:56:22.713Z
Hi, Thank you for your report. This is rather a best practice than a is a security vulnerability per se. As a result, we do not think this meets the bar for a security concern and it's not eligible for this bug bounty program. Regards.


karthik87mit Activities::Comment
2017-06-24T15:24:29.390Z
It is indeed a security vulnerability. Without notification password change is dangerous. Look at this following report accepted as a vulnerability in hackerone https://hackerone.com/reports/92251


karthik87mit Activities::Comment
2017-06-24T15:25:23.101Z
Can you reconsider this resolution?


karthik87mit Activities::Comment
2017-06-24T15:27:05.578Z
@starbucks please reply.


joystick Activities::Comment
2017-06-24T15:29:00.142Z
Hi - As I said before this a security best practice and not a flaw. Not implementing this does not mean user account would get compromised somehow. Thanks for the effort and time you put into this! Looking forward to more reports from you.


karthik87mit Activities::AgreedOnGoingPublic
2017-06-25T03:09:22.491Z


karthik87mit Activities::Comment
2017-06-25T09:48:34.210Z
Can we do a public disclosure please?


karthik87mit Activities::Comment
2017-06-27T08:43:24.041Z
@starbucks @joystick any updates please?


overice Activities::ChangedScope
2018-11-21T19:05:37.347Z


overice Activities::AgreedOnGoingPublic
2019-02-08T19:09:55.623Z


overice Activities::ReportBecamePublic
2019-02-08T19:09:55.715Z