Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Application allowing old password to be set as new password at $username.matomo.cloud #19839

Open
niteshpatel798 opened this issue Oct 10, 2022 · 1 comment
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.

Comments

@niteshpatel798
Copy link

Hi Team,

I found an issue that your application is allowing user to set new password same as that of the old password.

Summary

As per secure password policy application should not allow same old password value to be used in setting new password value cos there might be possibility that old password might be exposed or leaked to an adversary so its advisable on application end to enforce strong password policy and should implement check to not to allow user to set old password value in new password value.

Step to Reproduce

1- Go to https://username.matomo.cloud/
2- Click on Lost password
3- enter old password as new password site accept and logged you in
4- Don't need to chek email and Authorized your password change request

Reference

https://www.owasp.org/index.php/Testing_for_Weak_password_policy_(OTG-AUTHN-007)
WeblateOrg/weblate@035730c

Impact

The problem is that,today attackers are accessing particular user account by knowing his other account passwords in other sites and also by knowing the old passwords used by him, So allowing users to set old password is some what a typical issue.

@niteshpatel798 niteshpatel798 added the Potential Bug Something that might be a bug, but can't be reproduced (yet). label Oct 10, 2022
@sgiehl
Copy link
Member

sgiehl commented Oct 11, 2022

Thanks for creating this report @niteshpatel798
Our product team will consider this for future improvements.

@sgiehl sgiehl added c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. and removed Potential Bug Something that might be a bug, but can't be reproduced (yet). labels Oct 11, 2022
@sgiehl sgiehl added this to the For Prioritization milestone Oct 11, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Projects
None yet
Development

No branches or pull requests

2 participants