The road to hell is paved with good intentions
It may seem ordinary to somebody.
Someone fixed an important thing and did not check any other possible influences. Typical situation.
But probably my naivety and the authority of the company with whom I had to communicate — played a cruel joke. It was Amazon Security department.
It was happened when i found session token without expiration time which allows you to reset the password to user. Imagine what could be the consequences in case of leakage or interception of this token. This problem maximally crossed on the security of user data. Almost immediately I wrote a report to amazon security department.

I decided that it would be a great honor for me to contribute to the safety of the product. Amazon for some reason does not support the bug-bounty programs. But it's doesn't matter for me.
I wrote a report. Reported the steps how to reproduce it. I was thanked and informed that the problem will be fix asap. A week later I was informed that my vulnerability was fixed. I checked the reuse of token when we set a password for the user. And now i CAN'T reuse this token again to set a new password. I thanked for a quick fix and continued to do my job with a sense of accomplishment.
A few times later I received two gift cards as a token of gratitude. You can not imagine how much it is valuable to me. I do not mean the cost.

After a couple of weeks, I was approached by project manager who could not set a password for a new user in the system.
I was very surprised. I'v already tested this functionality. We did not make any changes in auth functionality. Everything should work fine. Check it again and take 500 server error. I was surprised and went to debug step by step this issue. In fact, manager run his steps with one fail. He try to set "easy" password first, take validation that password not strong enough, and then try to set normal strong password.
And then I remembered. This is the place where the guys from Amazon were supposed to make the token not to reuse. That’s right. As I reported so they did it. The token can be used once. If the user made a mistake with installing an insufficiently strong password — sorry. Go to repeat all steps of user activation on a new one.
To say that I was surprised — do not say anything. Conducting unit tests, end-to-end test and integration tests , what about this… ? Where is all this thing from Amazon team…?

When I realized the cause of the problem — I immediately contacted with Amazon security team again. I got the answer that I’m right. In this situation, the problem was no longer considered a security issue. But for my team it was a problem of functionality that we create. We had to add a few more validations to get around this error. In fact it was my mistake. That i didn’t check the whole flow of this changes as a QA Engineer.
From this story for me the important conclusion has come turned out. Do not look at company names. Google, Amazon, Facebook, Twitter... The same people work in companies. Everyone can make mistakes. Remember this.
