- Status Closed
-
Assigned To
cbay - Private
Opened by b8192051 - 05.03.2026
Last edited by cbay - 05.03.2026
FS#302 - Broken Access Control allows user to read backup related information without permission
Actual Issue:
A user that does not have backup permissions is still able to access backup-related task and log details by replaying previously captured requests.
The following endpoints return backup-related information even after the user’s backup permission has been removed:
GET /task/<id>/detail/ HTTP/2 Host: admin.alwaysdata.com GET /log/<id>/detail/ HTTP/2 Host: admin.alwaysdata.com
Since backup access is denied, the user should not be able to access any backup-related task or log information.
Steps To Reproduce
- Navigate to https://www.alwaysdata.com/en/register/
and create two accounts:
accountA@gmail.com accountB@gmail.com
- Login to accountA@gmail.com
- Invite accountB@gmail.com
and initially grant it full access (this is to make capturing the request easier).
- Login to accountB@gmail.com
- Navigate to:
Advanced → Backup Recovery
- Fill in the necessary details and submit the form while proxying the traffic through Burp Suite.
- In Burp, identify the requests sent to the following endpoints:
/task/<id>/detail/
/log/<id>/detail/
Now, to demontrate the actual vuln,
- Now go back to accountA@gmail.com
- Navigate to Permissions → Account Permissions.
- Under the All permissions account section, grant all permissions except the backups permission
- Confirm that accountB@gmail.com
no longer has access to backup functionality from the UI.
- Go back to Burp Suite and replay the previously captured requests to verify that accountB@gmail.com can still access the backup information.
Security Impact.
- Since the id's are sequential and id's for account that the attacker does not belong to return 404, the attacker can occasionally run brute force attacks to access the backup information of all backups even though they do not have access to it.
- This breaks the expected permission model, since once backup access is revoked, the user should not be able to retrieve any backup-related information.
Additional Notes
I searched everywhere for alternative ways to access the /log/<id>/detail/ and /task/<id>/detail/ endpoints since they appear to be generic log and task related endpoints which attacker has access to but could not find it.
This clearly indicates that these endpoints are tied to the backup operation workflow, and a user without backup permissions should not have access to them.
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Hello,
The log and task details only contain information that a backup had been performed. We do not consider such logs to be a security issue as long as you already have access to the account.
Kind regards,
Cyril
Hello @cbay, could you please clarify by what you mean by the user has access to the account.
In my report, the user has been invited to the account, not given access to the backup information and I submitted this report because your bug bounty page permits to report Access Control Issues.
Thanks.
In your report, the user still has permissions to the account, not just backup.
Hello @cbay,
I think you are confusing the actual problem that I am discussing here.
In my report, the user has does not have permission to the backup, they have all other account related permissions but not backup. The website allows to set more granular access controls under the account section, instead of giving the user full account management permissions, they are giving all but backups which the website clearly allows.
When reproducing the report, do not select the all account permissions, scroll down a bit to find the section to allow individual account permissions. and disallow the backups access.
I have attached a screenshot so you know what I am actually talking about, thanks.
In the first image, you can verify that the all account permissions has been deselected. And in the second image, you can see that the user has access to all account permissions except backup feature.
As I said, the user still has some permissions to the account.
Oh okay, understood.