- Status Closed
-
Assigned To
cbay - Private
Opened by monty099 - 15.09.2025
Last edited by cbay - 16.09.2025
FS#213 - Title: Unauthorized Exposure of Account Domains Due to Insufficient 2FA Enforcement
Severity
P3 – Medium
Product / Area
Account Management / Shared Permissions / Email Management (domain selection when creating a Mailbox)
Summary
A previously reported issue was observed again (Report ID: [203], and it was marked as Fixed on [28/8/2025]). The issue is that an invited user who has not enabled two-factor authentication (2FA) can view the domains of another subscription when attempting to create a Mailbox from their personal account. This behavior reflects a failure to enforce the 2FA requirement and constitutes information disclosure.
This issue was re-observed on 15/09/2025.
Steps to Reproduce:
1. Create a subscription account in Alwaysdata and add a domain.
2. Create another user account (subscription).
3. From the main account, add this user as an Administrator with full permissions.
4. Enable the requirement for 2FA before access.
5. From the secondary account (the other user), attempt to add a Mailbox.
6. The domain list will display, including the main account’s domain, even though the user has not enabled 2FA.
POC: https://admin.alwaysdata.com/support/89183/
(Regression):
The vulnerability was originally reported and marked as Fixed.
Its reappearance means the fix was bypassed.
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Hello,
We had to temporarily suspend our fix as it caused issues, we'll make a better fix soon.
Kind regards,
Cyril