Summary:
The login page on evo.app accepts a null (empty) password, allowing users to log in without providing any credentials. This issue poses a significant security risk, as it could enable unauthorized access to user accounts.
Steps to Reproduce:
Navigate to the evo.app login page.
Enter a valid username or email address.
Leave the password field empty (null).
Click on the "Login" button.
Expected Result:
The system should reject the login attempt and display an error message indicating that the password field cannot be empty.
Actual Result:
The system accepts the login attempt and grants access to the user's account without requiring a password.
Impact:
This bug allows anyone with access to a valid username or email address to log in to the corresponding account without needing to know the password, potentially leading to unauthorized access and data breaches.
Additional Information:
This issue could indicate a problem with the server-side authentication logic, where the password validation is either missing or improperly handled.
Consider reviewing the authentication process to ensure that passwords are correctly validated and that null passwords are explicitly rejected.
Suggested Fix:
Implement proper validation on the password field to ensure that it cannot be empty before proceeding with the login process. Additionally, review the entire authentication flow to ensure that similar issues are not present elsewhere.
Name = Sagar Rawat