Non Owner can update the Password.
Summary
Although the password cannot be viewed by non-owners, the setpassword() function has no access control check or modifiers. This allows anyone to change and thus know the password.
Vulnerability Details
The setPassword() function can be called by any external address. There is no access control and no function modifiers to check if the only person that can set the password is the owner.
This creates the opportunity for others to set the password thus them knowing the password.
Impact
The primary purpose of saved password is to omit the need of remembering password all the time. This exploit can be as simple as losing a password and needing to recover.
However, consider this:
The contract owner deploys this contract.
They set the password to a phrase.
A high value contract is dependent on the password stored in this contract. It retrieves the password from this contract to authorize and access control.
An attacker sets the password (changes it). Hops onto the valuable contract, uses the password they just set for malicious uses.
This exploit of authority can lead to misuse of authority of this account. The attacker can basically seize over the assets in the second contract.
Tools Used
VsCode
Remix
Recommendations
Add a check for setPassword() that only owner can set the password.
Lead Judging Commences
finding-lacking-access-control
Anyone can call `setPassword` and set a new password contrary to the intended purpose.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.