Intro Part 1:

Trying to log in to Quora using my browser, I realized I didn’t remember my password. I have this account logged in multiple places. One of those places is my phone. After successfully changing my password using the web app, I opened the android app to log back in using the new password(As it was supposed to work). Well, my account was still log in using the old password. For some reason, Quora never logged me out.

1. Log in to both the Android and Web App using the same account
2. In the Web App, ask for a password reset link
3. Copy and paste the reset link into your browser and change the password.
4. Open your android app and test the app by browsing it, and doing regular stuff as always
5. It will still work as intended

Note: This was done using the Google login option. I can’t guarantee this will work using a regular account made using your own Email.

Intro Part 2:

After changing my password, I noticed that Quora.com never sent me an email telling me about the password changed being done to my account. In fact, unwilling HackerOne helped me to learn about this part of the bug. How? Whenever you want to send a report to Quora, you will be asked to set up 2FA, which I did. When this is done, you will get an email from HackerOne telling you about the new change being done.

The Report 1:

As you can already tell, this problem in the bug bounty community will count as two different vulnerabilities, one will be “Failing to notify password changes” and “Session fails to log out on password change”.

In the screen shot above we can read the response to “Failing to notify password changes”, in which I wasn’t even expecting nothing less than this as a response.

The Report 2:

What I wasn’t really expecting was the response for the second report. In reality a duplicate was the aim for this report.

By reading my replies we both can agree that I was really mad about their response. In all honesty, I was not angry because I was not going to get a reward for this report, but for the way they had a magic response for the lack of security on a web app such as quora. Even more when just a week ago they started paying us for our content.

Summary

Many times we find vulnerabilities even doing everyday stuff. We also try to fix or/and take advantage of this. As you can see from the results, this was not my case. Always take care of your own security because sometimes companies just don’t do it the way they should.