Weak Password Requirements in jonschoning/espial

Valid

Reported on

Sep 26th 2021

Description Weak password implementation

Proof of Concept step 1: login into account goto https://esp.ae8.org/Settings/Password step 2: change password demo to 12 or 1 and save changes step 3: we can see updated message application is allowing to set weak password.

poc of image for your reference PoC 1 and PoC 2

PoC 1: https://i.ibb.co/Zghc9zD/2.png PoC 2:https://i.ibb.co/J7FC25J/response.png

Impact Weak passwords can be guessable or attacker can bruteforce if the length of the password is very small, so try to use random strings with special characters. Though that can be hard to remember as a security point of view it's quite secure. Strong password is also needed to be stored properly.

References

https://www.acunetix.com/vulnerabilities/web/weak-password/

We have contacted a member of the jonschoning/espial team and are waiting to hear back 2 years ago

Jon Schoning validated this vulnerability 2 years ago

@0xAmal has been awarded the disclosure bounty

The fix bounty is now up for grabs

Jon Schoning marked this as fixed with commit ed27a3 2 years ago

Jon Schoning has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation