Security vulnerabilities

  • Status Closed
  • Assigned To
    cbay
  • Private
Attached to Project: Security vulnerabilities
Opened by waloodi_109 - 05.08.2025
Last edited by cbay - 05.08.2025

FS#199 - Attacker Can Force to Stop Victim to Forget their Account Password in admin.alwaysdata.com.

#Attacker Can Force to Stop Victim to Forget their Account Password in admin.alwaysdata.com.

Hello Sir, I hope you are doing well. While, Researching on your domain, I found Attacker Can Force to Stop Victim to Forget their Account Password in admin.alwaysdata.com.

Steps to Reproduce:

1. Go to https://www.alwaysdata.com/en/register/ for Signup.
2. Input Meow.bow+evil@domain.com.Burp Collab and then input password and click on submit to register your account.
3. Verify this account and after login and then logout from the account.
4. Register another account in https://www.alwaysdata.com/en/register/.
5. Input Meow.bow+evil1@domain.com.Burp Collab and then input password and click on submit to register your 2nd account.

6.After that verify your 2nd account in admin.alwaysdata.com.
7.Registering two account in admin.alwaysdata.com and then go to https://admin.alwaysdata.com/password/lost/ to forget their account.

8. Input first and second account email to forget their password but you can see that when you click on reset button it should say that email doesn't have account register.

Impact:

When victim register their account with email Meow.bow+evil@domain.com.Burp Collab and attacker know victim email then he/she can use abuse email Meow.bow+evil1@domain.com.Burp Collab to register the account, If victim forget their password and victim want to forget their password with https://admin.alwaysdata.com/password/lost/, victim lost their account can can't forget their account.

#Note:

Try to remove symbols in email to prevent from this.

Thank You,

Waleed Anwar

Closed by  cbay
05.08.2025 14:47
Reason for closing:  Invalid
Admin
cbay commented on 05.08.2025 14:01

Hello,

I have trouble understanding many of your sentences. For instance:

8. Input first and second account email to forget their password but you can see that when you click on reset button it should say that email doesn't have account register.

Can you please rephrase, or alternatively send a video?

Kind regards,
Cyril

Oky, Sir I make a video and send it here.

Here is the video Sir

Admin
cbay commented on 05.08.2025 14:32

The issue is that you had uppercase letters in your email address. However, your email address is automatically transformed into lowercase when you sign up.

However, we didn't do the same transformation in the "password lost" form, which is why you had the "There is no account with this email address".

We've fixed it, but it was not a security issue.

But, you can clearly see that I registered both account and login into admin.alwaysdata.com. After, that Reset password you can clearly see that its show There is no email. If Victim can register their account with their email, if attacker known victim email he/she can use abuse email to force to stop victim to forget their password.

Admin
cbay commented on 05.08.2025 14:37
After, that Reset password you can clearly see that its show There is no email.

Because you had an uppercase letter.

Attacker can use symbols to prevent victim to forget their password.

Admin
cbay commented on 05.08.2025 14:39

Please try again with new accounts and upload the video.

You are right, that's the matter of Uppercase.

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing