- Status Closed
- Assigned To No-one
- Private
Opened by Devansh811 - 18.01.2024
Last edited by cbay - 19.01.2024
FS#17 - Lack of password confirmation on account deletion
Hello support teams,
I hope this email finds you well. I am Devansh . I am a security researcher and I found a vulnerability in your website.
bug name : Lack of password confirmation on account deletion
Description: the user account can be deleted without confirming user password or re authentication.
The removal of an account is one of the sensitive parts of any application that needs to be protected, therefore removing an account should validate the authenticity of the legitimate user.
steps to reproduce:
1. Go to account settings and click on delete account.
2. There will be a next page where I click on delete my account now option.
3. You will see the message of account has been deleted and get logged out
Remediation:
System must confirm authentic user before performing such task. A link can be sent to the user email id that can be used for delete operation. Otherwise user password should be provided to the application to confirm the entity identity.
It seems to be of very low impact,but consider a situation when a user forgets to logout from his account or someone gets access to his phone and deletes the account. This situation is more severe than account takeover as there is no way to get an account again. All the save information and data including previous record, card information etc can be deleted.
video poc is attached
Thanks and regards
Devansh
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Hello,
Although asking for a password confirmation when deleting an account might be a good practice, we don't consider this a security vulnerability.
Even if we asked for password for deleting an account, an attacker that would have gained access to the administration panel could basically delete all data (files, databases, domains) with a few more clicks anyway. And asking for a password confirmation when deleting any object would be a real burden for users.
Besides, even if an account gets deleted, we still keep backups for 30 days. The client would just need to contact us to have their account restored.
Kind regards,
Cyril
okay , depends on the website to website .
I had reported the same vulnerability to many websites 80% of them accepted it as a low severity .