Security vulnerabilities

  • Status Closed
  • Assigned To
    cbay
  • Private
Attached to Project: Security vulnerabilities
Opened by anoopsingh2807 - 06.08.2025
Last edited by cbay - 06.08.2025

FS#200 - Server Security Misconfiguration in Action

Bug Theory
Server Security Misconfiguration happens when an app exposes sensitive functionality without proper controls. In this case, the platform allowed account deletion without any password confirmation, which is a clear misstep in authentication logic.

Even though the user is logged in, critical actions like deleting an account should always require re-authentication to prevent abuse via stolen sessions, CSRF, or insider misuse.

Step
Navigated to the Account Settings after logging in as a regular user.
Clicked on “Delete Account”.
✅ Expected : The application should prompt the user to re-enter their account password, or at least send an OTP/email confirmation before deleting the account.
❌ ActualThe account was deleted instantly without any verification — just a single click and the user data was gone.

That’s it. No alerts. No hesitation.

Business Context Impact
Because this platform is used to coordinate offline car transactions, accounts are tied to:

Active car listings
Buyer/seller chat history
Scheduled meetings or test drives
Deleting an account disrupts the entire transaction process, damages user trust, and may result in financial losses or wasted in-person efforts.

Closed by  cbay
06.08.2025 08:24
Reason for closing:  Duplicate
Additional comments about closing:  

https://security.alwaysda ta.com/task/17

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing