The application has a feature that allows users to recover or change their passwords without knowing the original password, although it is ineffective.
It is usual for an application to have a mechanism that allows a user to get access to their account if they forget their password. Very often, the password recovery procedure is weak, which increases the likelihood that someone other than the genuine system user will be able to get access to that user’s account. A powerful password authentication technique is severely undermined by weak password recovery schemes.
The security question may be too easy to guess or find a response to, which is a vulnerability (e.g. because the question is too common, or the answers can be found using social media). Or there might be an implementation flaw in the password recovery method code that causes the system to send the new password to an e-mail address different than the users. There may be no rate limiting on password resets, allowing an attacker to deny service to a genuine user if the attacker tries to recover their password in quick succession. Instead of producing a new temporary password, the system may provide the user with the old password. In short, if password recovery functionality is not carefully developed and deployed, it may frequently become the system’s weakest link, allowing an attacker to obtain unauthorized access to the system.
ZOFixer.com security scan helps to find this vulnerability in your software and server, you can easily use it by registering on our website and activating the 30-day trial.