Use of Password Hash Instead of Password for Authentication
This vulnerability occurs when an application's authentication system accepts a password hash directly from the client for verification, instead of receiving and hashing the plaintext password on the server.
Some systems are designed to have the client (like a web browser or mobile app) send a pre-computed password hash to the server, often with the intention of reducing server load or avoiding transmission of the raw password. However, this design fundamentally breaks the security model. Once an attacker steals a hash from the server's database—through methods like SQL injection or data exposure—they can simply submit that same hash using a modified client to impersonate the user. The server cannot distinguish between a legitimate client's hash and an attacker's replayed one. Consequently, authenticating with a client-supplied hash provides no more security than using plaintext passwords. The server loses the ability to apply its own cryptographic salts and work factors, and the hash effectively becomes the password itself. To be secure, the server must always receive the plaintext password, perform the hashing operation itself using a strong, salted algorithm, and compare the result to its stored hash.
Impact: Bypass Protection MechanismGain Privileges or Assume Identity
An attacker could bypass the authentication routine without knowing the original password.