- Status Closed
-
Assigned To
cbay - Private
Opened by tester - 27.07.2025
Last edited by cbay - 28.07.2025
FS#197 - Urgent Security Vulnerability = Account Deletion Without Verification.
Dear alwaysdata security Team,
My name is Vedant Tanaji Vhatkar. I’ve identified two critical vulnerabilities in your account system that may severely compromise user security and platform trust.
Observed Behavior: User accounts can be deleted without requiring password re-entry, SMS, email confirmation, or any second form of identity validation.
Steps to Reproduce:
Log into a valid user session.
Navigate to account deletion option.
Trigger deletion without further verification.
Account is deleted immediately or queued for deletion, with no challenge mechanism.
Impact (Attacker’s Perspective):
Attacker can delete accounts instantly after session hijack — no password or re-verification needed.
Account deletion erases forensic logs and obscures evidence of compromise.
Users lose access to warranties, devices, purchase history — often irreversibly.
Automated bots could mass-delete accounts, causing serious platform damage.
No confirmation step = silent victimization and loss of customer trust.
Recommendations:
Enforce password re-entry and multi-factor authentication for deletion.
Introduce a deletion grace period and notify users via email or SMS.
Log and alert users of deletion attempts across all devices
Video poc :https://drive.google.com/file/d/1pORDqY43T-GedPP_avOvlCqzU2MrM9AQ/view?usp=drive_link
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task