|
Task Description
Bypassing Two-Factor Authentication via Account Deactivation
Hello Team,
I hope you are doing well. I found a serious issue in https://admin.alwaysdata.com which Bypassing Two-Factor Authentication via Account Deactivation.
The vulnerability arises from a logical flaw in the account recovery and 2FA enforcement processes. Specifically, after deactivating an account, users can takeover and log in without being prompted for 2FA. The 2FA mechanism, which is designed to provide an additional layer of security, is effectively bypassed.
Steps To Reproduce
Go to https://admin.alwaysdata.com and make signup example@gmail.com
Then, go to admin detail section add some details first name, last name etc and activate 2fa.
After, activating 2fa submit and save the details.
After, saving the details click on Delete this profile button on right top side and submit the message what you want.
Your account is deleted without asking password confirmation and 2fa is also deactivated and attacker can easily takeover the account.
Note: This is possible only when user is forgot to login off the account at cafe or something else pc and recreate a account with this email address and reconfigure a 2fa to takeover the account.
Regard,
Waleed Anwar
|
