Weak policy at Change password function in bookwyrm-social/bookwyrm


Reported on

Jul 11th 2022


BookWyrm uses weak password policy when allows user to change password with just 1 character through the change password function.

Steps to reproduce

1.Login then go to the Change password page (https://book.dansmonorage.blue/preferences/password)
2.Enter a character (for example: 1) in the new password field and the same in the confirm password field
3.You will see that the password has been changed successfully.


When users change password to a too simple password, attacker can easily guess user password and access account.


BookWyrm should apply more strict policy in changing password such as the password length must be more than or equal to 8, at least 1 special character, at least 1 number, at least one capital character,...

We are processing your report and will contact the bookwyrm-social/bookwyrm team within 24 hours. 2 years ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists 2 years ago
Mouse Reeve validated this vulnerability 2 years ago
khanhchauminh has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Mouse Reeve marked this as fixed in 0.4.4 with commit 137311 2 years ago
The fix bounty has been dropped
change_password.py#L14-L49 has been validated
password.py#L1-L83 has been validated
to join this conversation