Authorization / Default User Password Not Requiring Change After First Login

Description

The vulnerability refers to a security flaw in systems or applications where the initial default password provided to a user during account creation remains valid even after the user's first login. This vulnerability poses a significant security risk as it allows unauthorized access to user accounts, potentially leading to data breaches, unauthorized information disclosure, and other malicious activities.

Risk

Attackers can exploit this vulnerability by either guessing or acquiring default passwords through various means. Once inside the system, they can access sensitive user data, manipulate user settings, and perform actions on behalf of the legitimate user. If the default password grants limited access initially, attackers might explore ways to escalate their privileges within the system, potentially gaining administrative control and causing even more damage.

Mitigation

Implement a policy that requires users to change their default passwords upon their first login. This practice ensures that even if the initial password is compromised, it becomes useless to attackers after the user changes it.