I came across one application while doing security assessment and found that they were using default admin account.And that too the admin account was having credentials as admin:admin. Catastrophic, isn't it?
I raised this issue before completing the assessment with the developers. They had their usual excuse- this was introduced to help user reset their passwords through the web application and since the web application was supposed to be used by singles user. It was essentially a single user environment. The web application was running locally on their individual laptops and the laptop was being plugged on the LAN just for few moments to reset some device readings.
Now the risk was:
Even a momentarily the laptop was connected to local network, the default admin account's presence was known to every other user. If they change the password using the default account then?
Though this was single user environment and only very few users were supposed to use the application on their individual laptops, we can't ignore the risk.
But then there's was no mechanism to reset the password as there was no email accounts associated or nor admin present to reset the password. It was very simple web application to just record and generate reports about some sensors' health.
So after brainstorming, we proposed the following solution in this kind of single user and isolated environment without compromising with usability:
Implementing a feature of local password reset in this single user environment. Develop a CLI (Command Line Interface)/ console based utility which changes the password locally on the machine, rather than providing this facility as web interface as this might be accessed remotely. The utility directly resets the password into database from command line. This approach provides both security and usability in current single user
environment.
I raised this issue before completing the assessment with the developers. They had their usual excuse- this was introduced to help user reset their passwords through the web application and since the web application was supposed to be used by singles user. It was essentially a single user environment. The web application was running locally on their individual laptops and the laptop was being plugged on the LAN just for few moments to reset some device readings.
Now the risk was:
Even a momentarily the laptop was connected to local network, the default admin account's presence was known to every other user. If they change the password using the default account then?
Though this was single user environment and only very few users were supposed to use the application on their individual laptops, we can't ignore the risk.
But then there's was no mechanism to reset the password as there was no email accounts associated or nor admin present to reset the password. It was very simple web application to just record and generate reports about some sensors' health.
So after brainstorming, we proposed the following solution in this kind of single user and isolated environment without compromising with usability:
Implementing a feature of local password reset in this single user environment. Develop a CLI (Command Line Interface)/ console based utility which changes the password locally on the machine, rather than providing this facility as web interface as this might be accessed remotely. The utility directly resets the password into database from command line. This approach provides both security and usability in current single user
environment.
Comments