FS#203 : Title: Unauthorized Exposure of Account Domains Due to Insufficient 2FA Enforcement

Status Closed
Assigned To

nferrari
Private

Attached to Project: Security vulnerabilities
Opened by monty099 - 16.08.2025
Last edited by nferrari - 28.08.2025

FS#203 - Title: Unauthorized Exposure of Account Domains Due to Insufficient 2FA Enforcement

Severity: Medium – P3

Description:
A security issue was discovered in the account management system on Alwaysdata. When an account owner adds another user as an Administrator and grants them full permissions, but enforces the condition that this user must enable two-factor authentication (2FA) before accessing the shared account, unsafe behavior occurs.

In this scenario, the user who has not yet enabled 2FA can see the list of domains associated with the owner’s shared account when attempting to add a Mailbox in their personal account. Although they cannot create an email using those domains, the mere visibility of the domain names exposes sensitive information about the owner’s infrastructure.

Steps to Reproduce:

1. Create a subscription account in Alwaysdata and add a domain.

2. Create another user account (subscription).

3. From the main account, add this user as an Administrator with full permissions.

4. Enable the requirement for 2FA before access.

5. From the secondary account (the other user), attempt to add a Mailbox.

6. The domain list will display, including the main account’s domain, even though the user has not enabled 2FA.

###POC: https://admin.alwaysdata.com/support/88664/

Impact:

Unauthorized exposure of the owner’s domain names.

This may lead to internal infrastructure information leakage.

An attacker may leverage knowledge of these domains for further attacks.

Note:
If the user is not granted any permissions for email or domains, they cannot see any of the shared account’s domains. This illustrates that domain visibility without 2FA results from the granted permissions interacting with the lack of enforced 2FA, and is not normal system behavior.

Recommendation:
Alwaysdata should ensure that any user who has not enabled 2FA cannot access or even view any sensitive data associated with the shared account, including the domain list.

Closed by nferrari
28.08.2025 14:08
Reason for closing: Fixed

Comments (3)
Related Tasks (0/0)

cbay commented on 18.08.2025 15:08

Hello,

Thanks for the report. We'll look into it and will keep you informed.

Kind regards,
Cyril

monty099 commented on 26.08.2025 12:24

Hi team,

Any update to this report?

Thank you,

nferrari commented on 27.08.2025 14:03

Hi,

This report is in process. Can you please open a ticket on alwaysdata administration panel?

Regards,

	Tasks related to this task (0)

Loading...

Keyboard shortcuts

Available keyboard shortcuts

Alt + ⇧ Shift + l Login Dialog / Logout
Alt + ⇧ Shift + a Add new task
Alt + ⇧ Shift + m My searches
Alt + ⇧ Shift + t focus taskid search

Tasklist

o open selected task
j move cursor down
k move cursor up

Task Details

n Next task
p Previous task
Alt + ⇧ Shift + e ↵ Enter Edit this task
Alt + ⇧ Shift + w watch task
Alt + ⇧ Shift + y Close Task

Task Editing

Alt + ⇧ Shift + s save task