The password reset prompt allows an individual to reset any user's password. My company uses a standard employee id to use for the JIRA username. With little knowledge, I designed a script that can cycle through employee id numbers and submit them to the reset password form. This process can repeat through an entire list of associate employee id numbers.

I am in the IT Security department so my research was more of a proof of concept, however, the script could be written by anyone. This causes an annoyance for users, and could potentially hinder the performance of the JIRA server (which we are running in a VM) and might even impact our MS Exchange servers which have to process all password reset confirmation emails.

The password reset prompt should be able to share the CAPTCHA functionality that the JIRA admin can enable for the account sign-up form. The solution is not perfect, however, it is a step in the right direction for disabling bot attacks that can reset every users password.