Security vulnerabilities

  • Status Closed
  • Assigned To
    cbay
  • Private
Attached to Project: Security vulnerabilities
Opened by d_sharad - 24.04.2024
Last edited by cbay - 25.04.2024

FS#51 - Multiple Free Public Cloud accounts obtained by a single user through account ownership transfers.

Description

Alwaysdata allows users to create a Free Public Cloud (100MB) account. Each user is limited to having only one Free Public Cloud (100MB account. However, I discovered that a user can bypass this restriction and obtain multiple Free Public Cloud (100MB) accounts by asking other users to create a new free account and then transfer ownership of that account to them.

Reproduction Steps

1. User A creates a new Free Public Cloud (100MB) storage account
2. User B creates a new Free Public Cloud (100MB)storage account
3. User B transfers ownership of their account to User A through: https://admin.alwaysdata.com/admin/account/
4. User A now has two Free Public Cloud (100MB)storage accounts (their original account and the one transferred from User B)
5. This process can be repeated with same user B for unlimited times to accumulate unlimited no of free accounts.

Impact

By exploiting account ownership transfers, a user can essentially obtain unlimited free storage, potentially leading to loss for alwaysdata

Recommendation

Implement additional checks and restrictions to prevent users from obtaining multiple free accounts through ownership transfers. Possible mitigations could include:

1. Limiting the number of free accounts a user can own, regardless of the acquisition method (creation or transfer).
2. Disallowing ownership transfers for free accounts or requiring explicit approval from the service provider.
3. Automatically consolidating multiple free accounts under the same user into a single account, preserving the total storage limit.

Proof of Concept:

I was able to accumulate 3 free accounts for user: d_sharad+1@wearehackerone.com poc image : https://drive.google.com/file/d/1Z9hxAiRs3jV8laemO7a_q7Cju1R-_f2X/view?usp=sharing

Closed by  cbay
25.04.2024 07:16
Reason for closing:  Invalid
Admin
cbay commented on 24.04.2024 16:24

Hello,

I agree that's a bug, but it's definitely not a security vulnerability.

Kind regards,
Cyril

Hi Cyril,
Thanks for reviewing.
While it bypasses the intended account limitation giving users unauthorized access to multiple account I still beleive it should be fixed.
I respect your decision.
Kind regards,
d_sharad

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing