Weak Password Policy in athou/commafeed
Jul 5th 2022
commafeed is using a weak password policy. Acunetix was able to guess the credentials required to access this page. A weak password is short, common, a system default, or something that could be rapidly guessed by executing a brute force attack using a subset of all possible passwords, such as words in the dictionary, proper names, words based on the user name or common variations on these themes.
Proof of Concept
1- Create a new user in the portal 2- Give a password as simple as 123456. 3. We can register successfully
An attacker could easily guess user passwords and gain access user accounts.