- Status Closed
-
Assigned To
cbay - Private
Opened by waloodi_109 - 05.08.2025
Last edited by cbay - 05.08.2025
FS#199 - Attacker Can Force to Stop Victim to Forget their Account Password in admin.alwaysdata.com.
#Attacker Can Force to Stop Victim to Forget their Account Password in admin.alwaysdata.com.
Hello Sir, I hope you are doing well. While, Researching on your domain, I found Attacker Can Force to Stop Victim to Forget their Account Password in admin.alwaysdata.com.
Steps to Reproduce:
1. Go to https://www.alwaysdata.com/en/register/ for Signup.
2. Input Meow.bow+evil@domain.com.Burp Collab and then input password and click on submit to register your account.
3. Verify this account and after login and then logout from the account.
4. Register another account in https://www.alwaysdata.com/en/register/.
5. Input Meow.bow+evil1@domain.com.Burp Collab and then input password and click on submit to register your 2nd account.
6.After that verify your 2nd account in admin.alwaysdata.com.
7.Registering two account in admin.alwaysdata.com and then go to https://admin.alwaysdata.com/password/lost/ to forget their account.
8. Input first and second account email to forget their password but you can see that when you click on reset button it should say that email doesn't have account register.
Impact:
When victim register their account with email Meow.bow+evil@domain.com.Burp Collab and attacker know victim email then he/she can use abuse email Meow.bow+evil1@domain.com.Burp Collab to register the account, If victim forget their password and victim want to forget their password with https://admin.alwaysdata.com/password/lost/, victim lost their account can can't forget their account.
#Note:
Try to remove symbols in email to prevent from this.
Thank You,
Waleed Anwar
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Hello,
I have trouble understanding many of your sentences. For instance:
Can you please rephrase, or alternatively send a video?
Kind regards,
Cyril
Oky, Sir I make a video and send it here.
Here is the video Sir
The issue is that you had uppercase letters in your email address. However, your email address is automatically transformed into lowercase when you sign up.
However, we didn't do the same transformation in the "password lost" form, which is why you had the "There is no account with this email address".
We've fixed it, but it was not a security issue.
But, you can clearly see that I registered both account and login into admin.alwaysdata.com. After, that Reset password you can clearly see that its show There is no email. If Victim can register their account with their email, if attacker known victim email he/she can use abuse email to force to stop victim to forget their password.
Because you had an uppercase letter.
Attacker can use symbols to prevent victim to forget their password.
Please try again with new accounts and upload the video.
You are right, that's the matter of Uppercase.