- Status Closed
-
Assigned To
cbay - Private
Opened by hacktivist - 26.07.2025
Last edited by cbay - 28.07.2025
FS#196 - Insecure Account Deletion Vulnerability on https://admin.alwaysdata.com/admin/details/
Description:
An insecure account deletion vulnerability has been identified on the AlwaysData admin platform. The application allows account deletion without requiring re-authentication or password confirmation, which can lead to unauthorized account deletion on shared or public devices.
Exploit Scenario:
A legitimate user logs into their AlwaysData admin account on a shared device (e.g., library, internet café, or office).
The user accidentally leaves the session open without logging out.
An attacker accesses the session and navigates to the following URL:
https://admin.alwaysdata.com/admin/details/
The attacker clicks "Delete this profile".
The system allows the deletion of the user account without requiring password re-entry or secondary confirmation, leading to account loss.
Steps to Reproduce:
Log in to your admin account at: https://admin.alwaysdata.com/
Navigate to: https://admin.alwaysdata.com/admin/details/
Click on the "Delete this profile" button.
Observe that no password or identity confirmation is required to proceed with account deletion.
Security Impact:
This lack of re-authentication introduces a critical security risk, especially on shared or publicly accessible machines. It allows any unauthorized person with temporary access to the session to delete the account permanently.
Recommended Mitigation:
Implement a re-authentication mechanism before executing sensitive actions like account deletion. This should include:
Prompting the user to re-enter their password.
Validating a session token or sending a secondary confirmation email/code.
This ensures that only an authenticated and intended user can perform account deletion.
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task