Hello there
Given I know a password is a personal secreto to gain access into a system and exist password reset emails and the whole process of reset must be done by the user. I have the doubt about If an account with administrative privileges change an user’s password without knowning the previous password and after the password is change the user is not notificated about the change. It should be considered as FIN.S.0033 Change of password without verification?
I think this design of the process could affect the disponibility of the user account
Thanks
Could you update the initial question with:
-
your previous research on the topic
-
complete name of FIN.S.0033
-
your initial analysis and conclusions
Then we could build from there to give you the appropiarte advise
The situation you are describing is breaking this rule https://fluidattacks.com/web/rules/301/ so I think it could be reported as that finding or as an insecure configuration
1 Like