Password reset link not expire after email change is a P4 severity vulnerability not P5 #487
Description
Hey everyone,
I’m following up on an issue I reported where the password reset link doesn't expire after an email change. This was marked as P5 (low priority), but I think it deserves a higher classification for a couple of reasons:
Why this should be taken more seriously:
Security Vulnerability: If the user changes their email but the reset link remains valid, an attacker who still has access to the old email could potentially use the link to reset the password, even after the account details have been updated.
Expected Behavior: It's standard security practice for the reset link to expire immediately once the email is changed, ensuring that the old email cannot be exploited to reset the password after the update.
Given the potential security implications, I believe this is at least P4 bug, not P5.
Reference hackerone report = https://hackerone.com/reports/685007
Please respond bugcrowd thanks @codingo @TimmyBugcrowd
Regards,
Darknight21
Hunter/Security researcher