FS#302 : Broken Access Control allows user to read backup related information without permission

Quick Actions

View Dependency Graph

Status Assigned
Assigned To

cbay
Private

Attached to Project: Security vulnerabilities
Opened by b8192051 - 05.03.2026

FS#302 - Broken Access Control allows user to read backup related information without permission

Actual Issue:

A user that does not have backup permissions is still able to access backup-related task and log details by replaying previously captured requests.

The following endpoints return backup-related information even after the user’s backup permission has been removed:

GET /task/<id>/detail/ HTTP/2
Host: admin.alwaysdata.com

GET /log/<id>/detail/ HTTP/2
Host: admin.alwaysdata.com

Since backup access is denied, the user should not be able to access any backup-related task or log information.

Steps To Reproduce

Navigate to https://www.alwaysdata.com/en/register/

and create two accounts:

accountA@gmail.com

accountB@gmail.com

Invite accountB@gmail.com

and initially grant it full access (this is to make capturing the request easier).

Navigate to:

Advanced → Backup Recovery

Fill in the necessary details and submit the form while proxying the traffic through Burp Suite.

In Burp, identify the requests sent to the following endpoints:

/task/<id>/detail/

/log/<id>/detail/

Now, to demontrate the actual vuln,

Now go back to accountA@gmail.com

Navigate to Permissions → Account Permissions.

Under the All permissions account section, grant all permissions except the backups permission

Confirm that accountB@gmail.com

no longer has access to backup functionality from the UI.

Go back to Burp Suite and replay the previously captured requests to verify that accountB@gmail.com can still access the backup information.

Security Impact.

Since the id's are sequential and id's for account that the attacker does not belong to return 404, the attacker can occasionally run brute force attacks to access the backup information of all backups even though they do not have access to it.

This breaks the expected permission model, since once backup access is revoked, the user should not be able to retrieve any backup-related information.

Additional Notes

I searched everywhere for alternative ways to access the /log/<id>/detail/ and /task/<id>/detail/ endpoints since they appear to be generic log and task related endpoints which attacker has access to but could not find it.

This clearly indicates that these endpoints are tied to the backup operation workflow, and a user without backup permissions should not have access to them.

Comments (3)
Related Tasks (0/0)

cbay commented on 05.03.2026 11:45

Hello,

The log and task details only contain information that a backup had been performed. We do not consider such logs to be a security issue as long as you already have access to the account.

Kind regards,
Cyril

b8192051 commented on 05.03.2026 11:49

Hello @cbay, could you please clarify by what you mean by the user has access to the account.

In my report, the user has been invited to the account, not given access to the backup information and I submitted this report because your bug bounty page permits to report Access Control Issues.

Thanks.

cbay commented on 05.03.2026 13:02

In your report, the user still has permissions to the account, not just backup.

	Tasks related to this task (0)

Loading...

Keyboard shortcuts

Available keyboard shortcuts

Alt + ⇧ Shift + l Login Dialog / Logout
Alt + ⇧ Shift + a Add new task
Alt + ⇧ Shift + m My searches
Alt + ⇧ Shift + t focus taskid search

Tasklist

o open selected task
j move cursor down
k move cursor up

Task Details

n Next task
p Previous task
Alt + ⇧ Shift + e ↵ Enter Edit this task
Alt + ⇧ Shift + w watch task
Alt + ⇧ Shift + y Close Task

Task Editing

Alt + ⇧ Shift + s save task