alwaysdata All Projects: Tasklist

	ID	Status	Summary	Opened by
	~~206~~	Closed	~~IDOR- lead to account Deletion~~	Mainasarajnr	Task Description IDOR-Lead To Any Account Deletion Description: There is a logic flaw in the permissions system. When a user is deleted through the /permissions/[id]/delete/ endpoint, the system does not properly check if the requester is allowed to delete that specific user. By intercepting the request and changing the id value, a user can delete the Any Account by their Id Steps to Reproduce: 1. Create a new accounts on alwaysdata with the following email: `attacker1@gmail.com` (Account A) `attacker2@gmail.com` (Account B) `Victim1@gmail.com` (Victim Account ) 2. Go to: `https://admin.alwaysdata.com/permissions/` 3. Add a second (Account B) as a team member/user: `attacker2@gmail.com` 4. As Account A (attacker1@gmail.com), go to the Permissions panel again. 5. You will (see Account B) listed and a “delete” button next to it. 6. Use Burp Suite to intercept the deletion request for Account B, for example: POST /permissions/402834/delete/ 7. Modify the ID in the request to match Victim Account’s ID (e.g.,402812 ): 8.Send the modified request. (It will succeed) Impact: An attacker can exploit an IDOR vulnerability to delete any Account Loss of access for the original owner Loss of Availability (DoS against users): An attacker can delete arbitrary user accounts, causing permanent or temporary loss of access. This results in a denial-of-service for targeted users or even large sets of users if automated. Loss of Data Integrity: Deleting an account typically removes associated personal information, preferences, content, or transaction history. This leads to irrecoverable data loss. Escalation of Attacks: Attackers could target privileged users (e.g., admins, moderators, or paying customers), deleting their accounts to gain an advantage or disrupt business operations. Reputation & Trust Impact: Users may lose trust in the platform if their accounts or data can be deleted by malicious actors without authorization. Severity:Critical CWE: CWE-639: Authorization Bypass Through User-Controlled Key CVSS v3.1 Example Score: Attack Vector: Network (N) Attack Complexity: Low (L) Privileges Required: Low (L) or None (N) depending on auth state User Interaction: None (N) Scope: Changed (C) if admins or high-privilege accounts are impacted Confidentiality: Low (L) Integrity: High (H) Availability: High (H) → Base Score: ~8.5–9.1 (High/Critical)

~~206~~

Closed

~~IDOR- lead to account Deletion~~

Task Description

IDOR-Lead To Any Account Deletion
Description:

There is a logic flaw in the permissions system. When a user is deleted through the /permissions/[id]/delete/ endpoint, the system does not properly check if the requester is allowed to delete that specific user.

By intercepting the request and changing the id value, a user can delete the Any Account by their Id

Steps to Reproduce:

1. Create a new accounts on alwaysdata with the following email:

`attacker1@gmail.com`

(Account A)

`attacker2@gmail.com`
 (Account B)

 `Victim1@gmail.com`
 (Victim Account )

2. Go to:

`https://admin.alwaysdata.com/permissions/`
3. Add a second (Account B) as a team member/user:

`attacker2@gmail.com`
4. As Account A (attacker1@gmail.com), go to the Permissions panel again.

5. You will (see Account B) listed and a “delete” button next to it.

6. Use Burp Suite to intercept the deletion request for Account B, for example:

POST /permissions/402834/delete/

7. Modify the ID in the request to match Victim Account’s ID (e.g.,402812 ):

8.Send the modified request. (It will succeed)

Impact:

An attacker can exploit an IDOR vulnerability to delete any Account

Loss of access for the original owner

Loss of Availability (DoS against users):

An attacker can delete arbitrary user accounts, causing permanent or temporary loss of access. This results in a denial-of-service for targeted users or even large sets of users if automated.

Loss of Data Integrity:
Deleting an account typically removes associated personal information, preferences, content, or transaction history. This leads to irrecoverable data loss.

Escalation of Attacks:
Attackers could target privileged users (e.g., admins, moderators, or paying customers), deleting their accounts to gain an advantage or disrupt business operations.

Reputation & Trust Impact:
Users may lose trust in the platform if their accounts or data can be deleted by malicious actors without authorization.

Severity:Critical
CWE: CWE-639: Authorization Bypass Through User-Controlled Key

CVSS v3.1 Example Score:

Attack Vector: Network (N)

Attack Complexity: Low (L)

Privileges Required: Low (L) or None (N) depending on auth state

User Interaction: None (N)

Scope: Changed (C) if admins or high-privilege accounts are impacted

Confidentiality: Low (L)

Integrity: High (H)

Availability: High (H)
→ Base Score: ~8.5–9.1 (High/Critical)

Showing tasks 1 - 1 of 1 Page 1 of 1

All Projects

Available keyboard shortcuts

Tasklist

Task Details

Task Editing