Memos Access Token Persistence Vulnerability After Password Change

A vulnerability exists in Memos, a privacy-focused note-taking service, allowing Access Tokens to remain valid even after a user changes their password. This issue is present in versions through 0.18.1. As a result, if an account is compromised and the password is updated, the attacker can still access the account using the existing Access Token. Users must manually delete the compromised Access Token to regain security. The generic description of Access Tokens complicates identifying which tokens are associated with a bad actor.

Impact

This vulnerability could lead to unauthorized access to a user's account, as Access Tokens do not expire when a password is changed. In cases of account compromise, this allows an attacker to maintain access even after the password is updated.

Reproduction

To reproduce this vulnerability, log into a Memos account on two devices. After Access Tokens are created for both devices, change the password on one device. The other device will not be logged out, and the Access Token will remain valid. This can be repeated by changing the password on the second device, which will also not log out the first device.

Remediation

To address this vulnerability, Memos should be updated to revoke all Access Tokens when a user changes their password, forcing a logout on all devices and requiring the user to log in again.