Change Password
Lack of Password Confirmation on Change of Password
Overview of the Vulnerability
User accounts are more susceptible to account takeover when there is no password confirmation on certain actions. For example, change of email address, change of password, management of Multi-Factor Authentication details, and account deletion.
The application lacks password confirmation on the change password function which could be abused by an attacker who has access to the user’s account (eg. a public computer the user has not logged out of). From here the attacker could change the account password to one they control. This gives the attacker control over functionality of a user’s account.
Business Impact
This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure.
Steps to Reproduce
Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP
Use a browser to navigate to: {{URL}}
Use change password functionality
Intercept the request in a Web Proxy
Adjust and forward the following request to the endpoint:
{{request}}Observe that no password confirmation is required
Proof of Concept (PoC)
The screenshot(s) below demonstrates the lack of password confirmation when changing the password:
{{screenshot}}
Recommendation(s)
It’s recommended to include the use of a password confirmation from users upon changes to their account, including the change of email address, to ensure that the requests are made by the legitimate user.
Last updated