Security vulnerabilities

  • Status Closed
  • Assigned To
    cbay
  • Private
Attached to Project: Security vulnerabilities
Opened by waloodi_109 - 02.09.2024
Last edited by cbay - 02.09.2024

FS#74 - Bypassing Two-Factor Authentication via Account Deactivation

Bypassing Two-Factor Authentication via Account Deactivation

Hello Team,

I hope you are doing well. I found a serious issue in https://admin.alwaysdata.com which Bypassing Two-Factor Authentication via Account Deactivation.

The vulnerability arises from a logical flaw in the account recovery and 2FA enforcement processes. Specifically, after deactivating an account, users can takeover and log in without being prompted for 2FA. The 2FA mechanism, which is designed to provide an additional layer of security, is effectively bypassed.

Steps To Reproduce

Go to https://admin.alwaysdata.com and make signup example@gmail.com

Then, go to admin detail section add some details first name, last name etc and activate 2fa.

After, activating 2fa submit and save the details.

After, saving the details click on Delete this profile button on right top side and submit the message what you want.

Your account is deleted without asking password confirmation and 2fa is also deactivated and attacker can easily takeover the account.

Note: This is possible only when user is forgot to login off the account at cafe or something else pc and recreate a account with this email address and reconfigure a 2fa to takeover the account.

Regard,

Waleed Anwar

Closed by  cbay
02.09.2024 12:41
Reason for closing:  Invalid
Admin
cbay commented on 02.09.2024 12:34

Hello,

In your scenario, the profile has been deleted, not deactivated, so there's nothing to take over.

Kind regards,
Cyril

As deleted the account, attacker can retake this email to recreate a account and reconfigure 2fa with his/her own device, because your domain doesn't validate for email verification, so he/she take the email to recreate the account on his behalf.

Admin
cbay commented on 02.09.2024 12:38

When a profile has been deleted, anyone can create a new profile with the same email address, but it will have an empty account. There's no security issue here.

oky

Sir, what about 2fa bypass?

Admin
cbay commented on 02.09.2024 12:58

There's no bypass. We simply don't ask the second factor or the password when deleting an account, for reasons explained here.

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing