Weak policy at Change password function in bookwyrm-social/bookwyrm

Valid

Reported on

Jul 11th 2022


Description

BookWyrm uses weak password policy when allows user to change password with just 1 character through the change password function.

Steps to reproduce

1.Login then go to the Change password page (https://book.dansmonorage.blue/preferences/password)
2.Enter a character (for example: 1) in the new password field and the same in the confirm password field
3.You will see that the password has been changed successfully.

Impact

When users change password to a too simple password, attacker can easily guess user password and access account.

Suggestion

BookWyrm should apply more strict policy in changing password such as the password length must be more than or equal to 8, at least 1 special character, at least 1 number, at least one capital character,...

We are processing your report and will contact the bookwyrm-social/bookwyrm team within 24 hours. 23 days ago
Mouse Reeve validated this vulnerability 23 days ago
KhanhCM has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Mouse Reeve confirmed that a fix has been merged on 137311 23 days ago
The fix bounty has been dropped
change_password.py#L14-L49 has been validated
password.py#L1-L83 has been validated
to join this conversation