LiveActive security incident?Get immediate response
CWE Reference

CWE-640: Weak Password Recovery Mechanism for Forgotten… | Glexia

CWE-640 (Weak Password Recovery Mechanism for Forgotten Password) weakness overview with consequences, detection methods, mitigations, related CVEs and MITRE…

Release 4.20weaknessIncomplete

Glexia's Take · Automated analysis

CWE-640: Weak Password Recovery Mechanism for Forgotten Password

Weak Password Recovery Mechanism for Forgotten Password represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.

Executive Impact

  • Access Control: Gain Privileges or Assume Identity: An attacker could gain unauthorized access to the system by retrieving legitimate user's authentication credentials.
  • Availability: DoS: Resource Consumption (Other): An attacker could deny service to legitimate system users by launching a brute force attack on the password recovery mechanism using user ids of legitimate users.
  • Integrity,Other: Other: The system's security functionality is turned against the system by the attacker.

Developer Pattern

CWE-640 is the kind of defect developers can usually prevent with explicit validation, safer framework defaults, and tests that exercise hostile input or unsafe state transitions.

Automation confidence

high confidence from CWE-640, 4.20.

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Official CWE Definition

CWE-640: Weak Password Recovery Mechanism for Forgotten Password

The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

Type
weakness
Abstraction
Base
Status
Incomplete
Source
MITRE CWE definition

Developer And Remediation Guidance

How teams prevent and detect this weakness

Causes

  • A famous example of this type of weakness being exploited is the eBay attack. eBay always displays the user id of the highest bidder. In the final minutes of the auction, one of the bidders could try to log in as the highest bidder three times. After three incorrect log in attempts, eBay password throttling would kick in and lock out the highest bidder's account for some time. An attacker could then make their own bid and their victim would not have a chance to place the counter bid because they would be locked out. Thus an attacker could win the auction.

Remediation

  • Architecture and Design: Make sure that all input supplied by the user to the password recovery mechanism is thoroughly filtered and validated.
  • Architecture and Design: Do not use standard weak security questions and use several security questions.
  • Architecture and Design: Make sure that there is throttling on the number of incorrect answers to a security question. Disable the password recovery functionality after a certain (small) number of incorrect guesses.
  • Architecture and Design: Require that the user properly answers the security question prior to resetting their password and sending the new password to the e-mail address of record.
  • Architecture and Design: Never allow the user to control what e-mail address the new password will be sent to in the password recovery mechanism.
  • Architecture and Design: Assign a new temporary password rather than revealing the original password.

Detection

  • Code review
  • SAST
  • DAST
  • Focused regression tests

Mappings

Related CVEs, CWEs, and ATT&CK context

Related CWEs

Related CVEs

Related CVE mappings appear after CVE records are cross-indexed.

Open CWE CVE mapping

ATT&CK Relevance

ATT&CK relevance is shown only when reviewed or responsibly inferred.