Alwaysdata allows users to create a Free Public Cloud (100MB) account. Each user is limited to having only one Free Public Cloud (100MB account. However, I discovered that a user can bypass this restriction and obtain multiple Free Public Cloud (100MB) accounts by asking other users to create a new free account and then transfer ownership of that account to them.

Reproduction Steps

1. User A creates a new Free Public Cloud (100MB) storage account
2. User B creates a new Free Public Cloud (100MB)storage account
3. User B transfers ownership of their account to User A through: https://admin.alwaysdata.com/admin/account/
4. User A now has two Free Public Cloud (100MB)storage accounts (their original account and the one transferred from User B)
5. This process can be repeated with same user B for unlimited times to accumulate unlimited no of free accounts.

Impact

By exploiting account ownership transfers, a user can essentially obtain unlimited free storage, potentially leading to loss for alwaysdata

Recommendation

Implement additional checks and restrictions to prevent users from obtaining multiple free accounts through ownership transfers. Possible mitigations could include:

1. Limiting the number of free accounts a user can own, regardless of the acquisition method (creation or transfer).
2. Disallowing ownership transfers for free accounts or requiring explicit approval from the service provider.
3. Automatically consolidating multiple free accounts under the same user into a single account, preserving the total storage limit.

Proof of Concept:

I was able to accumulate 3 free accounts for user: d_sharad+1@wearehackerone.com poc image : https://drive.google.com/file/d/1Z9hxAiRs3jV8laemO7a_q7Cju1R-_f2X/view?usp=sharing