Idea Details

HUB v4.6 and Decipher v2.2 allows Concurrent User Sessions

Last activity 24 days ago
Ganesan Gunasekaran's profile image
By: Ganesan Gunasekaran
02-07-2024 19:48

Vulnerability: CONCURRENT USER SESSIONS

Issue observed in: HUB and Decipher

Business Impact: An attacker can connect concurrently with a user without indication that their account has been compromised.

Description 

The application allows multiple connections simultaneously with the same authenticated user account. This is demonstrated by logging in with two separate browsers without restriction.

In this case, the application allowed the admin user to sign into the application using two different browsers at the same time.

Supporting Evidence:  A high privileged user logged into the application from two different browsers at the same time.

Reproduction Steps 

1. In Chrome, log into the application with a high privileged user

2. Perform the same action as step one, but this time using the Edge browser

3. Attempt to navigate to any other page within the application using both browsers.

4. The application does not log the user out of either session

 

Recommendation 

• The application should restrict connections so that a user account can only create one session at a time to the application. This will create a condition that alerts the user that their account has been compromised.

• If there is a business case for concurrent user sessions, then some form of indication should be given to the user that their account may be compromised. This can be done with a message that occurs alerting that there is another login from another location.

• It can also be strengthened by displaying a message indicating the last time a login occurred.

References 

https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html

278732:490206


Ideas Portal

• Like this idea? Tap the up arrow!  Ideas with over 15 votes will be discussed with our product teams in our idea review meeting.
• Discussion is healthy! If you have a question or comment, don’t be afraid to jump in and start a discussion in the comments section below.
• Collaboration is the key to making magic happen!
New
This idea is new to the community and hasn’t been reviewed yet. While in the New stage, it is particularly important to vote and comment to further the discussion around this idea.
Duplicate
This idea already exists! A change to the Duplicate status will include a comment linking to the existing idea, so all voting and feedback can be collected in one place.
Need More Info
We’ve reviewed this idea, and determined we need a bit more info before deciding on how to move forward. An update to the Need More Info status will be accompanied by a comment explaining which additional details are needed. Ideas are still open for voting and comments while in the Need More Info stage.
Reviewed
We have all the info we need and are planning to review the idea for implementation feasibility and value added to the product. Ideas with this status are still open to community voting and discussion.
Under Consideration
We have all the info we need and are currently considering the feasibility of implementing this idea. Ideas in the Under Consideration status are still open to community voting and discussion.
Not Planned
We’ve reviewed this idea, and determined that it’s not feasible to implement right now. Ideas in the Not Planned status are no longer open for voting.
Planned
We’ve reviewed this idea and have determined that it will be delivered in the near future. Ideas in the Planned status are not attached to a binding timeline, but there is a concrete plan to implement this idea.
Planned-Now
We’ve reviewed this idea and confirmed that this is planned for delivery in the next 6 months.
Delivered
Congrats! Your idea has been accepted by the team and is now delivered! Give yourself a pat on the back – you contributed to the improvement of one of Blue Prism’s products or services!