Security vulnerabilities

  • Status Closed
  • Assigned To No-one
  • Private
Attached to Project: Security vulnerabilities
Opened by Devansh811 - 18.01.2024
Last edited by cbay - 19.01.2024

FS#17 - Lack of password confirmation on account deletion

Hello support teams,
I hope this email finds you well. I am Devansh . I am a security researcher and I found a vulnerability in your website.

bug name : Lack of password confirmation on account deletion

Description: the user account can be deleted without confirming user password or re authentication.
The removal of an account is one of the sensitive parts of any application that needs to be protected, therefore removing an account should validate the authenticity of the legitimate user.

steps to reproduce:

1. Go to account settings and click on delete account.

2. There will be a next page where I click on delete my account now option.

3. You will see the message of account has been deleted and get logged out

Remediation:
System must confirm authentic user before performing such task. A link can be sent to the user email id that can be used for delete operation. Otherwise user password should be provided to the application to confirm the entity identity.

It seems to be of very low impact,but consider a situation when a user forgets to logout from his account or someone gets access to his phone and deletes the account. This situation is more severe than account takeover as there is no way to get an account again. All the save information and data including previous record, card information etc can be deleted.

video poc is attached

Thanks and regards
Devansh

https://

Closed by  cbay
19.01.2024 11:24
Reason for closing:  Invalid
Admin
cbay commented on 18.01.2024 11:04

Hello,

Although asking for a password confirmation when deleting an account might be a good practice, we don't consider this a security vulnerability.

Even if we asked for password for deleting an account, an attacker that would have gained access to the administration panel could basically delete all data (files, databases, domains) with a few more clicks anyway. And asking for a password confirmation when deleting any object would be a real burden for users.

Besides, even if an account gets deleted, we still keep backups for 30 days. The client would just need to contact us to have their account restored.

Kind regards,
Cyril

okay , depends on the website to website .

I had reported the same vulnerability to many websites 80% of them accepted it as a low severity .

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing