July 9, 2026
The Easy Bug Series | #01
Hello everyone ๐

By Soham D. Jadhav
1 min read
I'm starting a 15 days series where i'll share simple methodology to find your first valid findings with this series which is called as Low Hanging Fruits series. This are not so heavy bugs i will explain you in very simple words.
In today's i will explain about improper session invalidation after password change
What's the issue?
Imagine this.
You're logged in your laptop.
Someone somehow gets access to your session (may be through a stolen cookie, shared computer or malware).
You noticed that something is going wrong, So the first thing you are going to do is password change.
Most of the people assume that if we are changing the password the remaining session is terminated. means every one who is logged in with your account even if you are logged in with your mobile which should be logged out.
But sometimes.. it doesn't.
The attacker already has a valid session, and that session is working even if the valid user changes the password.
So chaning password doensn't actually remove their access to that account.
Without wasting any time i am going to show you about how to reproduce this vulnerability?
- Login with your valid credentials on 2 browsers (Firefox or chrome).
- After logging in go to the password change function(Firefox).
- Then Change the password(Firefox).
- After Changing the Password go to the chrome refresh the page.
If you are not logged out then this is the bug.
That's it for Day 1 ๐
A simple bug, bug still found in many applications.
See you in next part where we will explore another easy bug bounty finding.
Let's connect:
๐ LinkedIn ๐ป GitHub ๐ฏ TryHackMe
Happy Hunting! ๐๐
#BugBounty #WebSecurity #CyberSecurity #Pentesting #VAPT