Changing password without knowing old password

State Resolved
September 15, 2019
Issue ID -hfh3QsBW
Asset Web application
Bounty $100
Reported at September 10, 2019
Reporter Undisclosed
Severity Low
Visibility Complete
Weakness CWE 620 - Unverified Password Change

Description

It is possible to change the user password without knowing the current one by using
/auth/setPassword endpoint instead of /auth/password.
Impact - By intercepting and changing the request, with a valid token, the user could change his password without knowing the current one.

Step by step - Scenario

  1. Using proxy intercept password change request (use anything for old password field).
  2. Change endpoint from /auth/password to /auth/setPassword.
  3. Change POST data to (where 'MyNewPassword' is the new password you want)
    {"newPassword":"MyNewPassword","retypedNewPassword":"MyNewPassword"}
  4. Send the request.

Expected

The current password is required to be entered when changing the password.

Note

A valid token is required.