Lack Of Password Confirmation

Lack of Password Confirmation

Overview of the Vulnerability

User accounts are more susceptible to account takeover when there is no password confirmation on certain actions. For example, change of email address, change of password, management of Multi-Factor Authentication details, and account deletion. The application lacks password confirmation which could be abused by an attacker who has access to the user’s account (eg. a public computer the user has not logged out of). From here, the attacker could make permanent changes to the user’s account without having to provide a password.

Business Impact

This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure.

Steps to Reproduce

1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP

2. Use a browser to navigate to: {{URL}}

3. Alter the account

4. Intercept the request in a Web Proxy

5. Adjust and forward the following request to the endpoint:

{{request}}

1. Observe that no password confirmation is required

Proof of Concept (PoC)

The screenshot(s) below demonstrates the lack of password confirmation:

{{screenshot}}

Recommendation(s)

It’s recommended to include the use of a password confirmation from users upon changes to their account to ensure that the requests are made by the legitimate user.