- Status Closed
-
Assigned To
cbay - Private
Opened by waloodi_109 - 02.09.2024
Last edited by cbay - 02.09.2024
FS#74 - Bypassing Two-Factor Authentication via Account Deactivation
Bypassing Two-Factor Authentication via Account Deactivation
Hello Team,
I hope you are doing well. I found a serious issue in https://admin.alwaysdata.com which Bypassing Two-Factor Authentication via Account Deactivation.
The vulnerability arises from a logical flaw in the account recovery and 2FA enforcement processes. Specifically, after deactivating an account, users can takeover and log in without being prompted for 2FA. The 2FA mechanism, which is designed to provide an additional layer of security, is effectively bypassed.
Steps To Reproduce
Go to https://admin.alwaysdata.com and make signup example@gmail.com
Then, go to admin detail section add some details first name, last name etc and activate 2fa.
After, activating 2fa submit and save the details.
After, saving the details click on Delete this profile button on right top side and submit the message what you want.
Your account is deleted without asking password confirmation and 2fa is also deactivated and attacker can easily takeover the account.
Note: This is possible only when user is forgot to login off the account at cafe or something else pc and recreate a account with this email address and reconfigure a 2fa to takeover the account.
Regard,
Waleed Anwar
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Hello,
In your scenario, the profile has been deleted, not deactivated, so there's nothing to take over.
Kind regards,
Cyril
As deleted the account, attacker can retake this email to recreate a account and reconfigure 2fa with his/her own device, because your domain doesn't validate for email verification, so he/she take the email to recreate the account on his behalf.
When a profile has been deleted, anyone can create a new profile with the same email address, but it will have an empty account. There's no security issue here.
oky
Sir, what about 2fa bypass?
There's no bypass. We simply don't ask the second factor or the password when deleting an account, for reasons explained here.