Password Recovery Destination Manipulation via Session Puzzling
Also Known As:
Session Variable Overloading
Vector Operation Method:
Attackers can abuse credential recovery mechanisms by using forced access and session poisoning sequences to components that may override the session variable containing the recovery destination attribute. A valid example may be a password recovery mechanism used simultaneously with registration processes or profile update features, which may override session stored phone numbers, emails, and other recovery destinations.