- Status Closed
-
Assigned To
cbay - Private
Opened by monty099 - 05.08.2024
Last edited by cbay - 05.08.2024
FS#67 - *Title:* Account Creation and Impersonation Vulnerability in [admin.alwaysdata.com]
*Title:* Account Creation and Impersonation Vulnerability in [admin.alwaysdata.com]
*Summary:*
It is possible to create a new account on the site using the domain name admin1@alwaysdata.com. After creating this account, the username can be changed to that of a legitimate site administrator. This vulnerability allows the account to generate support tickets and invite users, In this way he can defraud users.
*Steps to Reproduce:*
1. Register a new account on the site using the email admin1@alwaysdata.com , Or by any other name
2. Change the account username to that of a real site administrator.
3. Use the account to create a support ticket and invite users.
poc: https://admin.alwaysdata.com/support/77431/375910-poc.alwaysdata.png
*Impact:*
This vulnerability enables attackers to impersonate site administrators within the support system, Which enables the attacker to impersonate the administrators of the site and deceive users
*Recommendation:*
To mitigate this risk, implement restrictions to prevent the creation of accounts with administrative email domains.
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Hello,
If you want to do a phishing attack on an alwaysdata user, it would certainly be more efficient to just send them a plain email that looks like an alwaysdata email.
Kind regards,
Cyril
This is just just an example, an attacker can request sensitive information from the user in the same ticket
Whatever the attacker wants to send to the user, they can just send it by email anyway.
Users resort to opening technical support tickets when they face any problem with their account, That is, they are trusted.
When an attacker impersonates an official, users won't know it, and the attacker's email address is what will make users trust him.
There is a difference between this scenario and an attacker tricking users by email directly.
But we don't even use `@alwaysdata.com` in the administration panel, in particular not on the ticket page.
We've already planned a revamped ticket page that better sets apart messages from an admin from messages from other users, but that's pretty much all we can do.
The user cannot sort this, Because it's the main domain of the site.
This poses a risk as well
The user can be deceived by that email address
and the attacker could exploit this in a practical scenario
Even if we did forbid @alwaydata.com, an attacker could use @aIwaysdata.com (note the capital i instead of the l) and get the same results.
Hi,
You can block capital and small letters together
You probably didn't realize that the profile name is displayed instead of the email address, so your mitigation wouldn't help at all anyway.
Hi,
The profile name does not pose any risk like the email address
Because the email address of the ticket creator is displayed
This mitigation procedure is a radical solution to the issue
look at this:
https://admin.alwaysdata.com/support/77431/375910-poc.alwaysdata.png
The email address is displayed and the user can find out who created this ticket
Only if the profile name is empty.
What am I supposed to see here? It's a screenshot of a user writing a ticket.
You can see the email of the ticket creator: https://admin.alwaysdata.com/support/77431/375951-poc333.png
This will give the user confidence.
That's the object of your ticket. Even if we did forbid emails with @alwaysdata.com, you could still have an account named "administrator", "admin-user" or whatever.
I told you that the profile name is not risk. The risk the email address that contains your domain name, Which can deceive users