`setPassword()` missing owner check - Unauthorized users can change password
Summary
The function PasswordStore.sol::setPassword() is vulnerable as it can be called by any user, not just the owner, allowing unauthorized changes to the password.
Vulnerability Details
In PasswordStore.sol#L26-29, the function setPassword()` is expected to allow only the owner to set a new password.
However, any user or contract can invoke this function.
Exploit scenario:
Initial state:
-
The PasswordStore contract has been deployed by a legitimate owner.
-
The owner has set a private password using the
setPassword()function.
Step 1: an attacker calls the PasswordStore contract function setPassword(), changing the password without the owner's permission.
Outcome: due to a lack of ownership check in the setPassword() function, the password within the PasswordStore contract gets overwritten with the attacker's specified password.
Implications: the purpose of the PasswordStore contract is compromised, as any user can change the password without the owner's knowledge or consent.
Impact
Any user can change the password stored in the PasswordStore contract without the owner's knowledge.
Tools Used
Manual review.
Recommendations
Ensure that the setPassword() function checks if msg.sender is the contract owner:
Lead Judging Commences
finding-lacking-access-control
Anyone can call `setPassword` and set a new password contrary to the intended purpose.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.