The password can be changed by anyone
Summary
This vulnerability revolves around the ability for anyone to change the password.
Specifically, the setPassword function is accessible to anyone, including malicious users, allowing them to change the password.
Vulnerability Details
The vulnerability exists within the setPassword function. This function is not properly restricted and can be executed by anyone, including users with malicious intent.
Impact
The impact of this vulnerability is that malicious users can change the password, potentially affecting the owner who relies on the getPassword function to access their password. Unauthorized password changes can lead to unintended consequences and potentially disrupt the service.
Tools Used
Manual Review
Recommendations
To mitigate this vulnerability, it is recommended to use OpenZeppelin's Ownable contract or implement a similar access control mechanism. By doing so, you can restrict the execution of the setPassword function to only the owner, preventing unauthorized access. Here's an example of how to implement it:
By adding onlyOwner to the setPassword function, only the owner of the contract will have permission to change the password, enhancing security and preventing malicious users from making unauthorized changes.
Lead Judging Commences
finding-lacking-access-control
Anyone can call `setPassword` and set a new password contrary to the intended purpose.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.