Security vulnerabilities

  • Status Closed
  • Assigned To
    cbay
  • Private
Attached to Project: Security vulnerabilities
Opened by cyberoy - 12.10.2024
Last edited by cbay - 26.10.2024

FS#83 - Issue: Application Allowing Old Password to be Set as New Password

Summary:
The application at https://admin.alwaysdata.com allows users to set their old password as the new password when resetting their password via the "Forgot Password" link. This weakens the security of the platform by not enforcing password uniqueness, which is crucial for maintaining account security, especially after a password reset.

Description:
When a user resets their password via the "Forgot Password" link, the application allows them to reuse their old password as the new password. This behavior reduces the effectiveness of the password reset process, which is meant to provide users with fresh, secure credentials. If the old password was compromised, allowing the user to reset it back to the same password negates the entire purpose of the password reset feature.

Steps to Reproduce:
1.Go to the login page of https://admin.alwaysdata.com and click on Forgot Password.
2.Enter your registered email address and request a password reset link.
3.Use the received password reset link to reset your password.
4.Enter your current/old password as the "New Password" in the password reset form.
5.Confirm the password reset.
6.Notice that the application allows the old password to be reused without any restrictions.

Impact:
Weakens Account Security: Reusing the old password negates the purpose of a password reset, especially if the old password was compromised. This significantly increases the risk of account compromise.
Non-Compliance with Best Practices: Regulatory and security guidelines, such as OWASP and NIST password standards, require that new passwords must differ from previous ones to enhance security.

Recommendation:
Enforce Password History: Track the user’s password history (e.g., the last 5 passwords) and ensure that the newly set password during a reset is not one of the previously used passwords.

Closed by  cbay
26.10.2024 11:18
Reason for closing:  Invalid
Admin
cbay commented on 24.10.2024 12:47

Hello,

We do not force our users to change their passwords. So changing your password to the same old password is actually the same as doing nothing at all, which is not a security issue.

Kind regards,
Cyril

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing