alwaysdata All Projects: Tasklist

	ID	Status	Summary	Opened by
	~~283~~	Closed	~~Email Address Change Without Verification or User Notif~~ ...	w4rcrypt	Task Description The application allows a logged-in user to change the account email address without requiring any verification of the new email address and without sending a notification to the original email owner. This behavior can be abused by an attacker to silently change the victim’s email address and perform account take over. Vulnerability Type: Improper Account Management Affected Functionality: Email change feature Impact Severity: Medium Steps to Reproduce: 1. Go to this following URL: https://admin.alwaysdata.com 2. Log in to a valid user account. 3. Navigate to Profile Settings. 4. Change the registered email address to Another email address(You can use victim's email) 5. Submit the request 6. Observe that: No verification email is sent to the new email address and No notification or alert sent.* 7. Now, Any attacker can enable 2MFA and lockout another email address even perform pre-account takeover. Impact: 1. Account Lockout 2. Pre-Account Takeover Recommendation: 1. Enforce mandatory verification for any email address change. 2. Send immediate security notifications to both the old and new email addresses. Reference: https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html

~~283~~

Closed

~~Email Address Change Without Verification or User Notif~~ ...

Task Description

The application allows a logged-in user to change the account email address without requiring any verification of the new email address and without sending a notification to the original email owner. This behavior can be abused by an attacker to silently change the victim’s email address and perform account take over.

Vulnerability Type: Improper Account Management
Affected Functionality: Email change feature
Impact Severity: Medium

Steps to Reproduce:

1. Go to this following URL: https://admin.alwaysdata.com 2. Log in to a valid user account.
3. Navigate to Profile Settings.
4. Change the registered email address to Another email address(*You can use victim's email)
5. Submit the request
6. Observe that: No verification email is sent to the new email address and No notification or alert sent. 7. Now, Any attacker can enable 2MFA and lockout another email address even perform pre-account takeover.

Impact:

1. Account Lockout
2. Pre-Account Takeover

Recommendation:

1. Enforce mandatory verification for any email address change.
2. Send immediate security notifications to both the old and new email addresses.

Reference:

https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html

Showing tasks 1 - 1 of 1 Page 1 of 1

Available keyboard shortcuts

Alt + ⇧ Shift + l Login Dialog / Logout
Alt + ⇧ Shift + a Add new task
Alt + ⇧ Shift + m My searches
Alt + ⇧ Shift + t focus taskid search

Tasklist

o open selected task
j move cursor down
k move cursor up

Task Details

n Next task
p Previous task
Alt + ⇧ Shift + e ↵ Enter Edit this task
Alt + ⇧ Shift + w watch task
Alt + ⇧ Shift + y Close Task

Task Editing

Alt + ⇧ Shift + s save task