- Status Closed
-
Assigned To
cbay - Private
Attached to Project: Security vulnerabilities
Opened by b8192051 - 05.03.2026
Last edited by cbay - 05.03.2026
Opened by b8192051 - 05.03.2026
Last edited by cbay - 05.03.2026
FS#301 - I found a broken access control that allows users to read backup related information without access.
Steps to reproduce:
- Navigate to https://www.alwaysdata.com/en/register/ and create 2 accounts, accountA@gmail.com, accountB@gmail.com
- In accountA@gmail.com, invite accountB@gmail.com and grant it all access(this is so that we can capture the request to make testing easy.)
- Login to accountB@gmail.com, click on advanced → backup recovery, fille in the necessary details and submit while proxying the traffic through burp.
- In burp, identify the traffic to these endpoints and intercept.
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Hello,
You say "without access" in the summary, but "grant it all access" in your details, so I'm not sure I follow. If you grant all permissions to someone, then he gets all accesses.
Kind regards,
Cyril
Hello team, since this is my first time submitting a report on this platform, I mistakenly sent it without completing the report. Please ignore it and read it from the new one that I submitted here.
Since you have already replied to the message, I am submitting a new one.
Sorry for the inconvenience caused.
Hello team, this is the link to the new report submitted with step by step instructions on how to reproduce it.
https://security.alwaysdata.com/task/302