alwaysdata Security vulnerabilities: Tasklist

	ID	Summary	Status	Date closed
	~~146~~	~~Security Report: Webmail Session Reuse After Account De~~ ...	Closed	01.04.2025	Task Description Vulnerability Description: A vulnerability was discovered in Alwaysdata's domain and email management system, allowing an attacker to maintain an active session even after deleting their account. This vulnerability can be exploited through email domain reuse in Webmail, enabling an attacker to gain access to newly created email accounts without needing to steal login credentials. Exploitation Steps: 1. The attacker adds the domain evil.com to their Alwaysdata account. 2. They create an email address admin@evil.com via Webmail (webmail.alwaysdata.com). 3. The attacker logs into Webmail and saves the session. 4. They delete their Alwaysdata account, but the Webmail session remains active. 5. A new user adds evil.com to their Alwaysdata account and creates the same email admin@evil.com. 6. Once the new user logs into Webmail, the attacker still has access to the email since their session remains active! Proof of Concept (PoC) Provided: https://admin.alwaysdata.com/support/85071/ Impact of the Vulnerability: Modification of email settings. Wide-scale exploitation: The attacker can repeat the process with multiple domains, allowing them to gain control over different email accounts. Recommendations to Fix the Vulnerability: 1. Terminate all active sessions immediately when an account is deleted or a domain is removed. 2. Link sessions to the user account instead of just the domain to ensure sessions do not transfer between different users. This vulnerability poses a serious threat to user privacy and account security, and we strongly recommend fixing it as soon as possible.
	~~145~~	~~Insecure Account Removal~~	Closed	26.03.2025	Task Description Summary: Deleting accounts without proper credentials or verification can lead to unauthorized access, data loss, account takeovers, compliance violations, and legal penalties. It can also disrupt services, damage reputation, create audit gaps, increase fraud risks, and burden customer support. Proper security measures and verification processes are essential to prevent these issues. Weakness: Improper Authorization and Broken Authentication (CWE-285) Severity: High Steps to Reproduce: - 1. Log in to your https://admin.alwaysdata.com/login/. 2. click on account profile. 3. Choose the "Delete this profile" option and there by click on submit . 4. Notice that there is no password confirmation required to proceed with the account deletion. 5. Confirm the account deletion request the account will be deleted without requiring the user to enter their password. impact: Deleting an account without a password or proper verification can have several serious consequences. Unauthorized deletions may result in legitimate users losing access to important data, files, or services, which can be difficult or impossible to recover. Data loss can be catastrophic for both individuals and organizations, especially if the account contained sensitive information or intellectual property. Additionally, if an attacker gains control and deletes the account, this could lead to account takeovers or impersonation attempts. POC https://drive.google.com/file/d/1juWAAZdCm_o1RiSwVAZiq8guAGsjIS3e/view?usp=sharing Thanks and regards, spyhacker

~~146~~

~~Security Report: Webmail Session Reuse After Account De~~ ...

Closed

01.04.2025

Task Description

Vulnerability Description:

A vulnerability was discovered in Alwaysdata's domain and email management system, allowing an attacker to maintain an active session even after deleting their account. This vulnerability can be exploited through email domain reuse in Webmail, enabling an attacker to gain access to newly created email accounts without needing to steal login credentials.

Exploitation Steps:

1. The attacker adds the domain evil.com to their Alwaysdata account.

2. They create an email address admin@evil.com via Webmail (webmail.alwaysdata.com).

3. The attacker logs into Webmail and saves the session.

4. They delete their Alwaysdata account, but the Webmail session remains active.

5. A new user adds evil.com to their Alwaysdata account and creates the same email admin@evil.com.

6. Once the new user logs into Webmail, the attacker still has access to the email since their session remains active!

Proof of Concept (PoC) Provided: https://admin.alwaysdata.com/support/85071/

Impact of the Vulnerability:

Modification of email settings.

Wide-scale exploitation: The attacker can repeat the process with multiple domains, allowing them to gain control over different email accounts.

Recommendations to Fix the Vulnerability:

1. Terminate all active sessions immediately when an account is deleted or a domain is removed.

2. Link sessions to the user account instead of just the domain to ensure sessions do not transfer between different users.

This vulnerability poses a serious threat to user privacy and account security, and we strongly recommend fixing it as soon as possible.

~~145~~

~~Insecure Account Removal~~

Closed

26.03.2025

Task Description

Summary:
Deleting accounts without proper credentials or verification can lead to unauthorized access, data loss, account takeovers, compliance violations, and legal penalties. It can also disrupt services, damage reputation, create audit gaps, increase fraud risks, and burden customer support. Proper security measures and verification processes are essential to prevent these issues.

Weakness: Improper Authorization and Broken Authentication (CWE-285)
Severity: High

Steps to Reproduce: -
1. Log in to your https://admin.alwaysdata.com/login/.
2. click on account profile.
3. Choose the "Delete this profile" option and there by click on submit .
4. Notice that there is no password confirmation required to proceed with the account deletion.
5. Confirm the account deletion request the account will be deleted without requiring the user to enter their password.

impact:
Deleting an account without a password or proper verification can have several serious consequences. Unauthorized deletions may result in legitimate users losing access to important data, files, or services, which can be difficult or impossible to recover. Data loss can be catastrophic for both individuals and organizations, especially if the account contained sensitive information or intellectual property. Additionally, if an attacker gains control and deletes the account, this could lead to account takeovers or impersonation attempts.

POC
https://drive.google.com/file/d/1juWAAZdCm_o1RiSwVAZiq8guAGsjIS3e/view?usp=sharing

Thanks and regards,
spyhacker

Showing tasks 1 - 2 of 2 Page 1 of 1

Security vulnerabilities

Available keyboard shortcuts

Tasklist

Task Details

Task Editing