Double authentication bypass
State Informative (Closed)
Disclosed publicly 2018-10-11T16:21:58.651Z
Reported To
Weakness none
Bounty
Collapse

Summary by w2w

Report describes current behavior of "Bind session to IP" and "Disable parallel session" security settings and is unrelated to authentication.
While behavior doesn't match to reporter's expectation (e.g. mobile and desktop sessions may exist in parallel despite of the settings) current behavior is considered as valid and expected, because it matches typical use patterns and intended attack vectors/scenarios (forgotten or hijacked web session).

Timeline
submitted a report to Mail.Ru .
2018-03-09T15:31:18.176Z

Regards,
Frans

  • 0 attachments:
3apa3a Activities::BugInformative
2018-03-12T08:38:57.725Z


w2w Activities::AgreedOnGoingPublic
2018-03-12T13:31:01.515Z


3apa3a Activities::ReportSeverityUpdated
2018-10-09T12:13:27.514Z


3apa3a Activities::AgreedOnGoingPublic
2018-10-11T16:21:58.625Z


3apa3a Activities::ReportBecamePublic
2018-10-11T16:21:58.669Z


3apa3a Activities::ReportVulnerabilityTypesUpdated
2018-10-11T16:25:06.134Z