Insufficient password recovery vulnerabilities occur when the application does not have an effective process to verify user identity when handling a "forgotten password" condition, and then either gives the password to the attacker or allows the attacker to change the password. The attacker is then able to impersonate the user and gain access to the user's account.
For example, the application might verify user identity by asking personal questions whose answers can be found on social networks. The attacker will be able to answer these questions and successfully impersonate the user to the application.
If the application does not sufficiently verify the user's identity, but sends the recovery information to the user over e-mail or using some other side-channel, the attacker will need to exploit additional vulnerabilities to complete the attack.
All applications that allow users to recover or change a forgotten password are potentially affected by insufficient password recovery vulnerabilities.
The impact of insufficient password recovery vulnerabilities is that attackers will be able to take over users' accounts. Once an attacker has compromised a user's account, the attacker will be able to do anything that the user is able to do.
If the attacker compromises an administrative account, they might be able to inject malicious code into the application or its data and take over the application. Upon taking over the application, the attacker will have access to all application functionality and all application data, will be able to use the application to attack its users with malicious scripts, and will be able to use the server as a part of a botnet.
To prevent insufficient password recovery vulnerabilities, verify user identity when resetting passwords and send the reset token on a side-channel.
To verify that insufficient password recovery vulnerabilities are prevented, make sure that user identity is verified when resetting passwords and the reset tokens are sent on a side-channel.