Application allowing old password to be set as new password at $username.matomo.cloud #19839
Labels
c: Security
For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Milestone
Comments
niteshpatel798
added
the
Potential Bug
|
Thanks for creating this report @niteshpatel798 |
sgiehl
added
c: Security
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi Team,
I found an issue that your application is allowing user to set new password same as that of the old password.
Summary
As per secure password policy application should not allow same old password value to be used in setting new password value cos there might be possibility that old password might be exposed or leaked to an adversary so its advisable on application end to enforce strong password policy and should implement check to not to allow user to set old password value in new password value.
Step to Reproduce
1- Go to https://username.matomo.cloud/
2- Click on Lost password
3- enter old password as new password site accept and logged you in
4- Don't need to chek email and Authorized your password change request
Reference
https://www.owasp.org/index.php/Testing_for_Weak_password_policy_(OTG-AUTHN-007)
WeblateOrg/weblate@035730c
Impact
The problem is that,today attackers are accessing particular user account by knowing his other account passwords in other sites and also by knowing the old passwords used by him, So allowing users to set old password is some what a typical issue.
The text was updated successfully, but these errors were encountered: