PlaciPy Hard-Coded Password Vulnerability Leading to Mass Account Takeover

A vulnerability exists in PlaciPy version 1.0.0, where a hard-coded default password is assigned to all newly created student accounts. This design flaw allows attackers to log in as any student once the password is known, resulting in mass account takeover. The default password is stored in the source code, logged in plaintext, and set as a permanent password without any per-user randomization or forced password reset on first login. This vulnerability violates secure credential management principles and could lead to unauthorized access to sensitive data, including personal information and assessment results, as well as privilege abuse by allowing access to restricted student-only endpoints.

Impact

Exploitation of this vulnerability allows for immediate and complete account compromise of all student accounts, with the default password logged in plaintext and potentially accessible through monitoring systems.

Remediation

To address this vulnerability, remove the hard-coded password and implement a system that generates unique, cryptographically secure passwords for each user. Ensure that passwords are delivered via secure, expiring email links and enforce a password policy through AWS Cognito. Additionally, rotate any compromised credentials immediately.