Received-SPF: pass (google.com: domain of danieljoseph11556@gmail.com designates 209.85.220.41 as permitted sender) client-ip=209.85.220.41;
MIME-Version: 1.0
References: <CAC3NA0AcqtgL67wYWhyx_hwyzn2qPtJbu2WRf9EdFma3BbQ0bQ@mail.gmail.com>
 <CAC3NA0DE+iq9ngpaG1sKQtFC0DOU14eYoPjAvhnAAg3zNdP8Ww@mail.gmail.com> <CAC3NA0D-BVrO9FpPbB+Lu4n7JW7XWz_Y23B-_o4DxsdeBgwv9w@mail.gmail.com>
In-Reply-To: <CAC3NA0D-BVrO9FpPbB+Lu4n7JW7XWz_Y23B-_o4DxsdeBgwv9w@mail.gmail.com>
From: Daniel joseph <danieljoseph11556@gmail.com>
Date: Sun, 1 Oct 2023 00:13:53 +0500
Message-ID: <CAC3NA0AO3JY5p0XQZ2JJetW+jVYDPCsmWZ6KyfMs_LigpSg4=A@mail.gmail.com>
Subject: Re: Vulnerability Report-Broken Authentication
To: info@designerliving.com
Content-Type: multipart/alternative; boundary="0000000000002f093c06069858b2"

--0000000000002f093c06069858b2
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi Team,

I hope you are well. I've reported a security vulnerability on your website
a long time ago and still haven't heard back from you. I'd really
appreciate it if you can verify my findings and update me regarding the
bounty for the report.

Looking forward to hearing from you.

On Tue, Feb 28, 2023 at 10:57=E2=80=AFPM Daniel joseph <danieljoseph11556@g=
mail.com>
wrote:

> Hi Team,
>
> I believe that you have had an opportunity to read our previous email
> regarding the vulnerability report. As it's been long already and your te=
am
> hasn't responded to the vulnerability report submitted by me, I was
> expecting $500 for responsible disclosure of vulnerability.
>
> Furthermore I would like to publicly disclose vulnerability reports on ou=
r
> blogs for research and educational purposes. If you have any concerns do
> let me know.
>
> Regards,
> Daniel
>
>
> On Thu, Dec 8, 2022 at 12:49=E2=80=AFPM Daniel joseph <danieljoseph11556@=
gmail.com>
> wrote:
>
>> Hi Team,
>>
>> Any update regarding the report and bounty?
>>
>> On Fri, Oct 21, 2022 at 11:28 PM Daniel joseph <
>> danieljoseph11556@gmail.com> wrote:
>>
>>> Hey Team,
>>>
>>> I'm a penetration tester and bug bounty hunter. I have found a potentia=
l
>>> vulnerability in the site. Please review the report below.
>>>
>>> Vulnerability: Broken Authentication & Session Management
>>> We have observed that when we change "password" from one browser in
>>> place of session expiration from another browser it just updates the
>>> password from another browser and the old session gets updated without
>>> being logged out. The flows goes like this:
>>> Broken Authentication and Session Management > Failure to Invalidate
>>> Session > On Password Change
>>> Steps:
>>> 1- Login from two browsers at a time [From Chrome browser and from
>>> Mozilla Firefox].
>>> 2- Change password in settings from chrome browser.
>>> 3- Now Check Mozilla Firefox.
>>> 4- Your Session got "updated" in place of expiration.
>>>
>>> Same goes with when using two different computer systems.
>>> 1- Login from two computers at a time
>>> 2- Change password in settings from computer A.
>>> 3- Now Check computer B.
>>> 4- Your Session got "updated" in place of expiration.
>>>
>>> Recommendations: If Session is Updating from one Browser/Computer so
>>> other should expire first to renew session after login.
>>>
>>> If you require any additional information, please let me know. I'll be
>>> waiting to hear from your side regarding the report and bounty.
>>>
>>> --
>>> Regards,
>>> Daniel
>>>
>>
>>
>> --
>> Regards,
>> Daniel
>>
>

--0000000000002f093c06069858b2
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Hi Team,<br><br>I hope you are well. I&#39;ve reported a s=
ecurity vulnerability on your website a long time ago and still haven&#39;t=
 heard back from you. I&#39;d really appreciate it if you can verify my fin=
dings and update me regarding the bounty for the report.<br><br>Looking for=
ward to hearing from you.</div><br><div class=3D"gmail_quote"><div dir=3D"l=
tr" class=3D"gmail_attr">On Tue, Feb 28, 2023 at 10:57=E2=80=AFPM Daniel jo=
seph &lt;<a href=3D"mailto:danieljoseph11556@gmail.com">danieljoseph11556@g=
mail.com</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" style=3D=
"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-le=
ft:1ex"><div dir=3D"ltr">Hi Team,<br><br>I believe that you have had an opp=
ortunity to read our previous email regarding the vulnerability report. As =
it&#39;s been long already and your team hasn&#39;t responded to the vulner=
ability report submitted by me, I was expecting $500 for responsible disclo=
sure of vulnerability.<br><br>Furthermore I would like to publicly disclose=
 vulnerability reports on our blogs for research and educational purposes. =
If you have any concerns do let me know.<div><div dir=3D"ltr" class=3D"gmai=
l_signature"><div dir=3D"ltr"><div><br></div>Regards,<div><span style=3D"fo=
nt-family:&quot;Google Sans&quot;,Roboto,RobotoDraft,Helvetica,Arial,sans-s=
erif;font-size:16px;letter-spacing:0.1px;text-align:center;white-space:nowr=
ap">Daniel</span><br></div></div></div></div><br></div><br><div class=3D"gm=
ail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Thu, Dec 8, 2022 at 12:=
49=E2=80=AFPM Daniel joseph &lt;<a href=3D"mailto:danieljoseph11556@gmail.c=
om" target=3D"_blank">danieljoseph11556@gmail.com</a>&gt; wrote:<br></div><=
blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-l=
eft:1px solid rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr"><div dir=
=3D"ltr"><div>Hi Team,</div><div><br></div><div>Any update regarding the re=
port and bounty?</div></div></div><br><div class=3D"gmail_quote"><div dir=
=3D"ltr" class=3D"gmail_attr">On Fri, Oct 21, 2022 at 11:28 PM Daniel josep=
h &lt;<a href=3D"mailto:danieljoseph11556@gmail.com" target=3D"_blank">dani=
eljoseph11556@gmail.com</a>&gt; wrote:<br></div><blockquote class=3D"gmail_=
quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,=
204);padding-left:1ex"><div dir=3D"ltr"><div dir=3D"ltr">Hey Team,<br><br>I=
&#39;m a penetration tester and bug bounty hunter. I have found a potential=
 vulnerability in the site. Please review the report below.<br><br>Vulnerab=
ility: Broken Authentication &amp; Session Management<br>We have observed t=
hat when we change &quot;password&quot; from one browser in place of sessio=
n expiration from another browser it just updates the password from another=
 browser and the old session gets updated without being logged out. The flo=
ws goes like this:<br>Broken Authentication and Session Management &gt; Fai=
lure to Invalidate Session &gt; On Password Change<br>Steps:<br>1- Login fr=
om two browsers at a time [From Chrome browser and from Mozilla Firefox].<b=
r>2- Change password in settings from chrome browser.<br>3- Now Check Mozil=
la Firefox.<br>4- Your Session got &quot;updated&quot; in place of expirati=
on.<br><br>Same goes with when using two different computer systems.<br>1- =
Login from two computers at a time<br>2- Change password in settings from c=
omputer A.<br>3- Now Check computer B.<br>4- Your Session got &quot;updated=
&quot; in place of expiration.<br><br>Recommendations: If Session is Updati=
ng from one Browser/Computer so other should expire first to renew session =
after login.<br><br>If you require any additional information, please let m=
e know. I&#39;ll be waiting to hear from your side regarding the report and=
 bounty.<br><div><br></div>--<br><div dir=3D"ltr"><div dir=3D"ltr">Regards,=
<div>Daniel</div></div></div></div></div>
</blockquote></div><br clear=3D"all"><div><br></div>-- <br><div dir=3D"ltr"=
><div dir=3D"ltr">Regards,<div><span style=3D"font-family:&quot;Google Sans=
&quot;,Roboto,RobotoDraft,Helvetica,Arial,sans-serif;font-size:16px;letter-=
spacing:0.1px;text-align:center;white-space:nowrap">Daniel</span><br></div>=
</div></div>
</blockquote></div>
</blockquote></div>

--0000000000002f093c06069858b2--