Secuirty spam from Amazon
Posted by Dave Yadallee on
Return-path:
Envelope-to: dave@doctor.nl2k.ab.ca
Delivery-date: Mon, 27 Jun 2022 06:43:00 -0600
Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.95 (FreeBSD))
(envelope-from)
id 1o5o4V-000ACY-A8
for dave@doctor.nl2k.ab.ca;
Mon, 27 Jun 2022 06:42:31 -0600
Resent-From: The Doctor
Resent-Date: Mon, 27 Jun 2022 06:42:31 -0600
Resent-Message-ID:
Resent-To: Dave Yadallee
Received: from a8-81.smtp-out.amazonses.com ([54.240.8.81]:43871)
by doctor.nl2k.ab.ca with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
(Exim 4.95 (FreeBSD))
(envelope-from <01000181a504dd6e-4a036fd3-bc49-40d2-acdc-7504122d6bf8-000000@amazonses.com>)
id 1o5nM2-000CIz-IQ
for doctor@nk.ca;
Mon, 27 Jun 2022 05:56:40 -0600
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
s=6gbrjpgwjskckoa6a5zn6fwqkn67xbtw; d=amazonses.com; t=1656330968;
h=Subject:From:To:Reply-To:List-Unsubscribe:List-Unsubscribe-Post:List-Id:Feedback-ID:Message-ID:MIME-Version:Date:Content-Type;
bh=cW9jUGU03edE/Lbm1JGNS6wfZ6mli1DEfH+3p30jMoE=;
b=ctDUVMlxZq93P+vT8YMsznjRAuUFzo9mp9VF142ACXwAwCzPFRoVrlyNESKa7bjr
eFJwb4cT0/KI9nf90BvCEaM/QFt0oQMq2lyQxszn9sTWsIjchQdspxvy1UB3+mlC+xr
UwOZ+EKL9D1wde3O0wHroVtwEXf9YvtS6uyF/taY=
Subject: Session not expiring after password change via forgot link
From: Claire Samuel
To: "doctor@nk.ca"
Reply-To: Claire Samuel
List-Unsubscribe:,
Subscriber-Uid:ey9677xbfhf21 - Unsubscribe request&body=Please unsubscribe
me!>
List-Unsubscribe-Post: List-Unsubscribe=One-Click
List-Id: af726vv397a14
X-Report-Abuse: https://email.offensiveguards.io/latest/campaigns/mx001lfzwh6e2/report-abuse/af726vv397a14/ey9677xbfhf21
X-EBS: https://email.offensiveguards.io/latest/lists/block-address
Feedback-ID: 1.us-east-1.jUPIvFwI5WueMv7UjkxdV4UxLo/q5d3gibQe3k7gqaU=:AmazonSES
Message-ID: <01000181a504dd6e-4a036fd3-bc49-40d2-acdc-7504122d6bf8-000000@email.amazonses.com>
MIME-Version: 1.0
Date: Mon, 27 Jun 2022 11:56:08 +0000
Content-Type: multipart/alternative; boundary=PbL8ZI_d
X-SES-Outgoing: 2022.06.27-54.240.8.81
--PbL8ZI_d
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Hello doctor,
Hope you are fine. As an=C2=A0independent security research=
er I have found
some bugs/vulnerabilities in your website.
Vulnerabilit=
y: Failure to invalidate session on forget password
I have observed that =
when we=C2=A0request=C2=A0a forgot password link it
updates the session i=
nstead of=C2=A0expiration. If an account=C2=A0is
logged=C2=A0in some acco=
unt and the password reset link=C2=A0is used=C2=A0the
other account will =
get updated but not expired.
Steps to reproduce:
1. Request a forgot pa=
ssword link.
2. Now login in another browser and then use the password re=
set link
in another browser.
3. You will notice that the password=C2=
=A0will be changed=C2=A0successfully
and the other browser will still be =
active with the account you opened
in it.
Impact:
If some account=
=C2=A0is logged=C2=A0in in=C2=A0some browser it=C2=A0will not
be=C2=A0log=
ged out from that browser and=C2=A0will be logged=C2=A0in and=C2=A0can
be=
=C2=A0used for malicious activities.
Recommendations:
It should expire =
immediately when the password=C2=A0is changed.
Regards.
--PbL8ZI_d
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable
=09Session not expiring after password change via forgot link
>
Hello doctor,
Hope you are fine. As an=C2=A0independent security researcher I have found =
some bugs/vulnerabilities in your website.
Vulnerability: Failure to invalidate session on forget password
I have observed that when we=C2=A0request=C2=A0a forgot password link it up=
dates the session instead of=C2=A0expiration. If an account=C2=A0is logged=
=C2=A0in some account and the password reset link=C2=A0is used=C2=A0the oth=
er account will get updated but not expired.
Steps to reproduce:
1. Request a forgot password link.
2. Now login in another browser and then use the password reset link in ano=
ther browser.
3. You will notice that the password=C2=A0will be changed=C2=A0successfully=
and the other browser will still be active with the account you opened in =
it.
Impact:
If some account=C2=A0is logged=C2=A0in in=C2=A0some browser it=C2=A0will no=
t be=C2=A0logged out from that browser and=C2=A0will be logged=C2=A0in and=
=C2=A0can be=C2=A0used for malicious activities.
Recommendations:
It should expire immediately when the password=C2=A0is changed.
Regards.
1070 S Elmhu=
rst Rd
Mt Prospect Delaware 60056
United States
, =
https://email.offensiveguards.io/latest/lists/af726vv397a14/unsubscribe/ey9=
677xbfhf21/mx001lfzwh6e2" />
--PbL8ZI_d--
Envelope-to: dave@doctor.nl2k.ab.ca
Delivery-date: Mon, 27 Jun 2022 06:43:00 -0600
Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.95 (FreeBSD))
(envelope-from
id 1o5o4V-000ACY-A8
for dave@doctor.nl2k.ab.ca;
Mon, 27 Jun 2022 06:42:31 -0600
Resent-From: The Doctor
Resent-Date: Mon, 27 Jun 2022 06:42:31 -0600
Resent-Message-ID:
Resent-To: Dave Yadallee
Received: from a8-81.smtp-out.amazonses.com ([54.240.8.81]:43871)
by doctor.nl2k.ab.ca with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
(Exim 4.95 (FreeBSD))
(envelope-from <01000181a504dd6e-4a036fd3-bc49-40d2-acdc-7504122d6bf8-000000@amazonses.com>)
id 1o5nM2-000CIz-IQ
for doctor@nk.ca;
Mon, 27 Jun 2022 05:56:40 -0600
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
s=6gbrjpgwjskckoa6a5zn6fwqkn67xbtw; d=amazonses.com; t=1656330968;
h=Subject:From:To:Reply-To:List-Unsubscribe:List-Unsubscribe-Post:List-Id:Feedback-ID:Message-ID:MIME-Version:Date:Content-Type;
bh=cW9jUGU03edE/Lbm1JGNS6wfZ6mli1DEfH+3p30jMoE=;
b=ctDUVMlxZq93P+vT8YMsznjRAuUFzo9mp9VF142ACXwAwCzPFRoVrlyNESKa7bjr
eFJwb4cT0/KI9nf90BvCEaM/QFt0oQMq2lyQxszn9sTWsIjchQdspxvy1UB3+mlC+xr
UwOZ+EKL9D1wde3O0wHroVtwEXf9YvtS6uyF/taY=
Subject: Session not expiring after password change via forgot link
From: Claire Samuel
To: "doctor@nk.ca"
Reply-To: Claire Samuel
List-Unsubscribe:
Subscriber-Uid:ey9677xbfhf21 - Unsubscribe request&body=Please unsubscribe
me!>
List-Unsubscribe-Post: List-Unsubscribe=One-Click
List-Id: af726vv397a14
X-Report-Abuse: https://email.offensiveguards.io/latest/campaigns/mx001lfzwh6e2/report-abuse/af726vv397a14/ey9677xbfhf21
X-EBS: https://email.offensiveguards.io/latest/lists/block-address
Feedback-ID: 1.us-east-1.jUPIvFwI5WueMv7UjkxdV4UxLo/q5d3gibQe3k7gqaU=:AmazonSES
Message-ID: <01000181a504dd6e-4a036fd3-bc49-40d2-acdc-7504122d6bf8-000000@email.amazonses.com>
MIME-Version: 1.0
Date: Mon, 27 Jun 2022 11:56:08 +0000
Content-Type: multipart/alternative; boundary=PbL8ZI_d
X-SES-Outgoing: 2022.06.27-54.240.8.81
--PbL8ZI_d
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Hello doctor,
Hope you are fine. As an=C2=A0independent security research=
er I have found
some bugs/vulnerabilities in your website.
Vulnerabilit=
y: Failure to invalidate session on forget password
I have observed that =
when we=C2=A0request=C2=A0a forgot password link it
updates the session i=
nstead of=C2=A0expiration. If an account=C2=A0is
logged=C2=A0in some acco=
unt and the password reset link=C2=A0is used=C2=A0the
other account will =
get updated but not expired.
Steps to reproduce:
1. Request a forgot pa=
ssword link.
2. Now login in another browser and then use the password re=
set link
in another browser.
3. You will notice that the password=C2=
=A0will be changed=C2=A0successfully
and the other browser will still be =
active with the account you opened
in it.
Impact:
If some account=
=C2=A0is logged=C2=A0in in=C2=A0some browser it=C2=A0will not
be=C2=A0log=
ged out from that browser and=C2=A0will be logged=C2=A0in and=C2=A0can
be=
=C2=A0used for malicious activities.
Recommendations:
It should expire =
immediately when the password=C2=A0is changed.
Regards.
--PbL8ZI_d
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable
=09
>
Hello doctor,
Hope you are fine. As an=C2=A0independent security researcher I have found =
some bugs/vulnerabilities in your website.
Vulnerability: Failure to invalidate session on forget password
I have observed that when we=C2=A0request=C2=A0a forgot password link it up=
dates the session instead of=C2=A0expiration. If an account=C2=A0is logged=
=C2=A0in some account and the password reset link=C2=A0is used=C2=A0the oth=
er account will get updated but not expired.
Steps to reproduce:
1. Request a forgot password link.
2. Now login in another browser and then use the password reset link in ano=
ther browser.
3. You will notice that the password=C2=A0will be changed=C2=A0successfully=
and the other browser will still be active with the account you opened in =
it.
Impact:
If some account=C2=A0is logged=C2=A0in in=C2=A0some browser it=C2=A0will no=
t be=C2=A0logged out from that browser and=C2=A0will be logged=C2=A0in and=
=C2=A0can be=C2=A0used for malicious activities.
Recommendations:
It should expire immediately when the password=C2=A0is changed.
Regards.
1070 S Elmhu=
rst Rd
Mt Prospect Delaware 60056
United States
, =
https://email.offensiveguards.io/latest/lists/af726vv397a14/unsubscribe/ey9=
677xbfhf21/mx001lfzwh6e2" />
--PbL8ZI_d--