- Status Assigned Reopened
-
Assigned To
cbay - Private
Opened by monty099 - 28.03.2025
Last edited by cbay - 28.03.2025
FS#146 - Security Report: Webmail Session Reuse After Account Deletion in Alwaysdata
Vulnerability Description:
A vulnerability was discovered in Alwaysdata's domain and email management system, allowing an attacker to maintain an active session even after deleting their account. This vulnerability can be exploited through email domain reuse in Webmail, enabling an attacker to gain access to newly created email accounts without needing to steal login credentials.
Exploitation Steps:
1. The attacker adds the domain evil.com to their Alwaysdata account.
2. They create an email address admin@evil.com via Webmail (webmail.alwaysdata.com).
3. The attacker logs into Webmail and saves the session.
4. They delete their Alwaysdata account, but the Webmail session remains active.
5. A new user adds evil.com to their Alwaysdata account and creates the same email admin@evil.com.
6. Once the new user logs into Webmail, the attacker still has access to the email since their session remains active!
Proof of Concept (PoC) Provided: https://admin.alwaysdata.com/support/85071/
Impact of the Vulnerability:
Modification of email settings.
Wide-scale exploitation: The attacker can repeat the process with multiple domains, allowing them to gain control over different email accounts.
Recommendations to Fix the Vulnerability:
1. Terminate all active sessions immediately when an account is deleted or a domain is removed.
2. Link sessions to the user account instead of just the domain to ensure sessions do not transfer between different users.
This vulnerability poses a serious threat to user privacy and account security, and we strongly recommend fixing it as soon as possible.
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Hello,
Your video shows that your session is not valid anymore: when you click on an icon to change the page, you get "Connection to storage failed" and "Loading…".
Kind regards,
Cyril
The message 'Connection to storage failed' does not indicate session termination. As clearly demonstrated in my video, I was able to successfully modify email settings, which would be impossible if the session was truly invalid. This proves that the session persists even after account deletion, posing a significant security risk.
I strongly recommend that you test this scenario yourselves to confirm the issue. If necessary, I can provide additional evidence, but the current proof is already sufficient to demonstrate the risk.