- Status Closed
-
Assigned To
cbay - Private
Opened by monty099 - 19.03.2025
Last edited by cbay - 21.03.2025
FS#139 - Title: Session Persistence After Subdomain Reuse or Transfer Leads to Email Account Takeover
Vulnerability Type:
Session Management Issue
Email Account Takeover
User Data Exposure
Severity: P1 (Critical)
This vulnerability allows an attacker to retain a valid session even after a subdomain is deleted or transferred to another user, enabling them to:
Read all incoming emails of the new user.
Send emails on behalf of the new user.
Modify email settings, such as forwarding rules and signatures.
—
Description:
The Alwaysdata platform allows users to create subdomains under alwaysdata.net for hosting websites and managing emails via webmail.alwaysdata.com. However, a critical session management flaw enables an attacker to retain an active session even after deleting or transferring the subdomain to a new user.
—
Scenario 1: Subdomain Reuse
Steps to Reproduce:
1. The attacker creates a subdomain (e.g., attacker.alwaysdata.net).
2. The attacker logs into webmail.alwaysdata.com and keeps the session active.
3. The attacker deletes the subdomain from their account.
4. A new user registers the same subdomain (attacker.alwaysdata.net).
5. The new user logs into webmail.alwaysdata.com.
6. The attacker retains a valid session, allowing them to:
Read all incoming emails of the new user.
Send emails on behalf of the new user.
Modify email settings (forwarding, signature, etc.).
7. The new user may encounter session-related errors, such as:
"Server Error: CREATE: Internal error occurred. Refer to server log for more information."
—
Scenario 2: Subdomain Ownership Transfer
Steps to Reproduce:
1. The attacker creates a subdomain (e.g., attacker.alwaysdata.net).
2. The attacker logs into webmail.alwaysdata.com and keeps the session active.
3. Instead of deleting the subdomain, the attacker transfers ownership to another user via admin.alwaysdata.com.
4. The new user accepts the transfer and starts using the subdomain.
5. The attacker retains an active session, allowing them to:
Read and send emails on behalf of the new user.
Modify email settings.
Access the email account until the session expires.
6. Even if the new user changes their email password via admin.alwaysdata.com, the attacker still has access due to the active session.
—
Impact:
Sensitive Data Exposure: The attacker can read incoming emails.
Identity Theft: The attacker can send emails on behalf of the new user.
Account Compromise: The attacker can modify email settings to maintain access.
Mass Exploitation: The attacker can create and delete multiple subdomains to target many future users.
##POC: https://admin.alwaysdata.com/support/84903/
—
Recommended Fixes:
Terminate all active sessions immediately upon subdomain deletion or transfer.
Link sessions to the user account instead of just the subdomain.
Warn the new user if there was an existing open session for the same subdomain.
Enforce re-authentication when transferring subdomain ownership.
Add an additional verification layer for email-related sessions when ownership changes.
This vulnerability poses a severe risk to user privacy and requires an urgent fix to prevent unauthorized access to email accounts.
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Hello,
This is only true if the account was recreated with the same password as well. We don't consider this a vulnerability as our webmail works exactly like an email client.
Transferring an account doesn't change anything on a technical level, so it's normal that it wouldn't invalidate current sessions.
Kind regards,
Cyril
Hello,
I would like to clarify that the old session remains active even after the subdomain is deleted and re-created by a new user with a different password. This represents a critical security flaw in session management, as all sessions associated with a specific subdomain should be terminated upon deletion.
Issue Details:
1. Persistence of the Old Session:
When an attacker creates a subdomain (e.g., attacker.alwaysdata.net) and logs into webmail.alwaysdata.com, the session remains active.
After deleting the subdomain, the old session is not terminated, allowing the attacker to retain access to the account associated with the previous subdomain.
2. Reusing the Same Subdomain Name:
If a new user creates the same subdomain (attacker.alwaysdata.net) but with a different password, the attacker's old session remains valid.
This allows the attacker to access and modify the new user's email settings.
3. Ability to Modify Email Settings:
Even if the attacker cannot read or send emails, they can still alter email settings such as forwarding rules, signatures, and filters.
This provides the attacker with opportunities for more complex exploits.
###I sent a proof of concept: https://admin.alwaysdata.com/support/84903/
Security Impact:
Settings Manipulation: The attacker can alter the new user's email settings, such as forwarding emails to another address.
Session Interference: The old session affects the new user's session, causing errors and delays in the system.
Privacy Violation: While the attacker may not directly access emails, the ability to modify settings still presents a serious security risk.
Hello,
Thanks for the clarification. I agree that the Roundcube session was not deleted when a mailbox was deleted, so Roundcube settings could still be modified and were applied on the new mailbox. It was not possible to change forwarding rules, though.
It's now fixed.
Can you claim your bounty in the ticket you've already opened by giving us your PayPal account?
Kind regards,
Cyril