July 13, 2021

creating a session during password reset

This seems like an issue to me but wanted to get everyone’s opinion as I’m a cyber newb. When logging into a large financial institutions website if I click on password reset it prompts me for a text or email for the security code. Then when I’m on the page that lets me reset my password I’m in an active session. I can close the browser without resetting the password and then open the browser and I’m logged in. No password reset happened but I’m in. Obviously I had to get a secure pin from a MFA option like text but it seems poor programming and security practice to open and maintain a session without actually doing the reset. I guess I bypassed 2FA by not needing a password :)

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.