FS#212 : Attacker Can Access Webmail.alwaysdata.com without validating account in admin.alwaysdata.com

Status Closed
Assigned To

cbay
Private

Attached to Project: Security vulnerabilities
Opened by waloodi_109 - 12.09.2025
Last edited by cbay - 13.09.2025

FS#212 - Attacker Can Access Webmail.alwaysdata.com without validating account in admin.alwaysdata.com

#Attacker Can Access Webmail.alwaysdata.com without validating account in admin.alwaysdata.com

Hello Team,

I hope you are doing well. I found Attacker Can Access Wemail.alwaysdata.com without validating account in admin.alwaysdata.com.

#Steps to Reproduce:

1.Go to https://www.alwaysdata.com/en/marketplace/ and install any application you want.
2.Fill the form then submit the request.
3.Then go to webmail.alwaysdata.com to put your address and password in which you had submitted in Step 2.
4.You can see that attacker can login in webmail.alwaysdata.com without validating account in admin.alwaysdata.com.

#Impact:

Attacker can use victim email to create an account and then use the address to login in webmail.alwaysdata.com. Attacker send fake emails and phishing email to someone as a behalf of a victim.

Thank You,

Waleed Anwar

Closed by cbay
13.09.2025 08:20
Reason for closing: Invalid

13.09.2025: A request to reopen the task has been made. Reason for request: Attacker can create an account in admin.alwaysdata.com as a behalf of a victim, he/she uses oliva address to login to webmail.alwaysdata.com to send fake emails to anyone, send phishing mails and redirect victim mail to yourself server, plz have a look

Comments (11)
Related Tasks (0/0)

cbay commented on 12.09.2025 16:04

Hello,

3.Then go to webmail.alwaysdata.com to put your address and password in which you had submitted in Step 2.

I think you're mistaken, that doesn't work. Please attach a video if you still believe you're right.

Kind regards,
Cyril

waloodi_109 commented on 12.09.2025 18:28

I will send you the video sir

waloodi_109 commented on 12.09.2025 18:40

Here is a video

bandicam 2025-09-12 23-29-18-... (8.08 MiB)

cbay commented on 13.09.2025 08:20

You sign up with sojarog998@ishense.com and login to the webmail with oliva@alwaysdata.net. Not the same address. There's no vulnerability here.

waloodi_109 commented on 13.09.2025 08:29

Attacker can create an account in admin.alwaysdata.com as a behalf of a victim, he/she uses oliva address to login to webmail.alwaysdata.com to send fake emails to anyone, send phishing mails and redirect victim mail to yourself server, plz have a look

Thank you,

Waleed Anwar

waloodi_109 commented on 13.09.2025 08:38

Attacker can use victim email to create an account from alwaysdata marketplace then fill the form to submit the request, I already told you sir Attacker use address not email address bcz its mentiond in marketplace.

Please have a look on it, its a serious matter for users.

Thank you,

Waleed Anwar

waloodi_109 commented on 13.09.2025 08:42

Any update?

waloodi_109 commented on 13.09.2025 10:17

Any update sir??

waloodi_109 commented on 13.09.2025 12:15

I already told you sir put address(not an email address) and then password in webmail.alwaysdata.com

Thank You,

Waleed Anwar

waloodi_109 commented on 15.09.2025 09:55