Received-SPF: pass (google.com: domain of danieljoseph11556@gmail.com designates 209.85.220.41 as permitted sender) client-ip=209.85.220.41;
MIME-Version: 1.0
References: <CAC3NA0AcqtgL67wYWhyx_hwyzn2qPtJbu2WRf9EdFma3BbQ0bQ@mail.gmail.com>
 <CAC3NA0DE+iq9ngpaG1sKQtFC0DOU14eYoPjAvhnAAg3zNdP8Ww@mail.gmail.com>
In-Reply-To: <CAC3NA0DE+iq9ngpaG1sKQtFC0DOU14eYoPjAvhnAAg3zNdP8Ww@mail.gmail.com>
From: Daniel joseph <danieljoseph11556@gmail.com>
Date: Tue, 28 Feb 2023 22:57:12 +0500
Message-ID: <CAC3NA0D-BVrO9FpPbB+Lu4n7JW7XWz_Y23B-_o4DxsdeBgwv9w@mail.gmail.com>
Subject: Re: Vulnerability Report-Broken Authentication
To: info@designerliving.com
Content-Type: multipart/alternative; boundary="000000000000a279b205f5c653d2"

--000000000000a279b205f5c653d2
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi Team,

I believe that you have had an opportunity to read our previous email
regarding the vulnerability report. As it's been long already and your team
hasn't responded to the vulnerability report submitted by me, I was
expecting $500 for responsible disclosure of vulnerability.

Furthermore I would like to publicly disclose vulnerability reports on our
blogs for research and educational purposes. If you have any concerns do
let me know.

Regards,
Daniel


On Thu, Dec 8, 2022 at 12:49=E2=80=AFPM Daniel joseph <danieljoseph11556@gm=
ail.com>
wrote:

> Hi Team,
>
> Any update regarding the report and bounty?
>
> On Fri, Oct 21, 2022 at 11:28 PM Daniel joseph <
> danieljoseph11556@gmail.com> wrote:
>
>> Hey Team,
>>
>> I'm a penetration tester and bug bounty hunter. I have found a potential
>> vulnerability in the site. Please review the report below.
>>
>> Vulnerability: Broken Authentication & Session Management
>> We have observed that when we change "password" from one browser in plac=
e
>> of session expiration from another browser it just updates the password
>> from another browser and the old session gets updated without being logg=
ed
>> out. The flows goes like this:
>> Broken Authentication and Session Management > Failure to Invalidate
>> Session > On Password Change
>> Steps:
>> 1- Login from two browsers at a time [From Chrome browser and from
>> Mozilla Firefox].
>> 2- Change password in settings from chrome browser.
>> 3- Now Check Mozilla Firefox.
>> 4- Your Session got "updated" in place of expiration.
>>
>> Same goes with when using two different computer systems.
>> 1- Login from two computers at a time
>> 2- Change password in settings from computer A.
>> 3- Now Check computer B.
>> 4- Your Session got "updated" in place of expiration.
>>
>> Recommendations: If Session is Updating from one Browser/Computer so
>> other should expire first to renew session after login.
>>
>> If you require any additional information, please let me know. I'll be
>> waiting to hear from your side regarding the report and bounty.
>>
>> --
>> Regards,
>> Daniel
>>
>
>
> --
> Regards,
> Daniel
>

--000000000000a279b205f5c653d2
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Hi Team,<br><br>I believe that you have had an opportunity=
 to read our previous email regarding the vulnerability report. As it&#39;s=
 been long already and your team hasn&#39;t responded to the vulnerability =
report submitted by me, I was expecting $500 for responsible disclosure of =
vulnerability.<br><br>Furthermore I would like to publicly disclose vulnera=
bility reports on our blogs for research and educational purposes. If you h=
ave any concerns do let me know.<div><div dir=3D"ltr" class=3D"gmail_signat=
ure" data-smartmail=3D"gmail_signature"><div dir=3D"ltr"><div><br></div>Reg=
ards,<div><span style=3D"font-family:&quot;Google Sans&quot;,Roboto,RobotoD=
raft,Helvetica,Arial,sans-serif;font-size:16px;letter-spacing:0.1px;text-al=
ign:center;white-space:nowrap">Daniel</span><br></div></div></div></div><br=
></div><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr"=
>On Thu, Dec 8, 2022 at 12:49=E2=80=AFPM Daniel joseph &lt;<a href=3D"mailt=
o:danieljoseph11556@gmail.com">danieljoseph11556@gmail.com</a>&gt; wrote:<b=
r></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex=
;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr">=
<div dir=3D"ltr"><div>Hi Team,</div><div><br></div><div>Any update regardin=
g the report and bounty?</div></div></div><br><div class=3D"gmail_quote"><d=
iv dir=3D"ltr" class=3D"gmail_attr">On Fri, Oct 21, 2022 at 11:28 PM Daniel=
 joseph &lt;<a href=3D"mailto:danieljoseph11556@gmail.com" target=3D"_blank=
">danieljoseph11556@gmail.com</a>&gt; wrote:<br></div><blockquote class=3D"=
gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(20=
4,204,204);padding-left:1ex"><div dir=3D"ltr"><div dir=3D"ltr">Hey Team,<br=
><br>I&#39;m a penetration tester and bug bounty hunter. I have found a pot=
ential vulnerability in the site. Please review the report below.<br><br>Vu=
lnerability: Broken Authentication &amp; Session Management<br>We have obse=
rved that when we change &quot;password&quot; from one browser in place of =
session expiration from another browser it just updates the password from a=
nother browser and the old session gets updated without being logged out. T=
he flows goes like this:<br>Broken Authentication and Session Management &g=
t; Failure to Invalidate Session &gt; On Password Change<br>Steps:<br>1- Lo=
gin from two browsers at a time [From Chrome browser and from Mozilla Firef=
ox].<br>2- Change password in settings from chrome browser.<br>3- Now Check=
 Mozilla Firefox.<br>4- Your Session got &quot;updated&quot; in place of ex=
piration.<br><br>Same goes with when using two different computer systems.<=
br>1- Login from two computers at a time<br>2- Change password in settings =
from computer A.<br>3- Now Check computer B.<br>4- Your Session got &quot;u=
pdated&quot; in place of expiration.<br><br>Recommendations: If Session is =
Updating from one Browser/Computer so other should expire first to renew se=
ssion after login.<br><br>If you require any additional information, please=
 let me know. I&#39;ll be waiting to hear from your side regarding the repo=
rt and bounty.<br><div><br></div>--<br><div dir=3D"ltr"><div dir=3D"ltr">Re=
gards,<div>Daniel</div></div></div></div></div>
</blockquote></div><br clear=3D"all"><div><br></div>-- <br><div dir=3D"ltr"=
><div dir=3D"ltr">Regards,<div><span style=3D"font-family:&quot;Google Sans=
&quot;,Roboto,RobotoDraft,Helvetica,Arial,sans-serif;font-size:16px;letter-=
spacing:0.1px;text-align:center;white-space:nowrap">Daniel</span><br></div>=
</div></div>
</blockquote></div>

--000000000000a279b205f5c653d2--