alwaysdata All Projects: Tasklist

	ID	Status	Summary	Opened by
	~~106~~	Closed	~~Bug Report: Broken Access Control on 2FA Leading to Pre~~ ...	DC	Task Description Subject: Misconfiguration in 2FA Implementation Allows Pre-Complete ATO To: Security Team alwaysdata Description: The lack of email verification before enabling Two-Factor Authentication (2FA) introduces a critical vulnerability that can facilitate pre-complete Account Takeover (ATO). An attacker can register email addresses resembling critical system accounts (e.g., administrator@alwaysdata.com or support@alwaysdata.com) without any validation. This misconfiguration allows the attacker to appear as legitimate users or administrators by exploiting the following gaps: 1. Email Address Control: The attacker registers administrator@alwaysdata.com (since admin@alwaysdata.com is already in use) or similar critical addresses such as support@alwaysdata.com. This bypass occurs because the application does not verify email ownership before enabling 2FA. 2. Pre-Complete ATO via 2FA: Once the attacker controls the fake email, they enable 2FA. This results in the following: - The email becomes "locked" for the attacker's use. - Real administrators or support users cannot register or regain control of these emails. - Critical accounts, if assumed to be associated with internal roles, are exploited for phishing or denial of service. This oversight compromises account security and can lead to severe operational and reputational risks for alwaysdata. Steps to Reproduce: 1. Register as a New User: - Create a new account with an email resembling a sensitive system role (e.g., administrator@alwaysdata.com or support@alwaysdata.com). 2. Set Up 2FA on the Account: - Enable Two-Factor Authentication without any email ownership verification. 3. Observe the Impact: - The attacker now controls a seemingly legitimate account. - Real users or employees attempting to register or recover accounts with these emails are blocked. 4. Potential Exploit: - Use the compromised "fake admin" email to trick other users or employees. - Execute phishing attacks or leverage the fake email for social engineering attempts. Business Impact: 1. Operational Risk: - Legitimate users or employees are unable to access critical accounts (e.g., admin@alwaysdata.com or support@alwaysdata.com). - This could lead to service disruptions and hinder internal workflows. 2. Security Risks: - Attackers can impersonate sensitive roles and deceive users or employees. - Creates opportunities for phishing, fraud, and social engineering attacks. 3. Reputational Damage: - Users and employees may lose trust in alwaysdata due to perceived weak account protection mechanisms. 4. Pre-Complete ATO: - Attacker gains control of accounts with system-level trust (e.g., admin-like emails) without the ability of real users to regain access. Severity: High Remediation Steps: 1. Mandate Email Verification: Require all email addresses to be verified during registration and before enabling 2FA. 2. Restrict Critical Email Formats: Disallow registrations with email addresses resembling sensitive roles (e.g., admin, administrator, support). 3. Enforce Ownership Validation: Implement strict validation to ensure that users can only enable 2FA on accounts they genuinely own. 4. Audit Existing Accounts: Identify and rectify any unverified accounts with potentially sensitive email addresses. Video POC: A detailed demonstration of the exploit steps is attached to this report to illustrate the issue clearly. https://drive.google.com/file/d/17DNkoihfOW7jyMoY_eWMGNiigNY4Zmo7/view?usp=sharing
	~~104~~	Closed	~~Bug Report: Vulnerability in User Addition Feature Lead~~ ...	DC	Task Description Bug Report: Vulnerability in User Addition Feature Leading to Email Blockage Exploit Subject: Misconfiguration in User Addition Feature - Enables Permanent Blockage of Employee/User Emails To: Security Team alwaysdata Description: The "Add a User" feature in your application has a critical misconfiguration that allows attackers to exploit email handling mechanisms. The vulnerability permits any email address, including sensitive ones like victim@alwaysdata.com or employee@alwaysdata.com, to be registered by an attacker under their account. This issue occurs irrespective of whether the victim is an actual user or employee of alwaysdata. Key Problem: Once an attacker registers email addresses to their account, the application erroneously considers these emails as "already in use." Consequently, legitimate users or employees are unable to: • Register with their own email addresses. • Recover passwords using the "Forgot Password" feature. This creates a significant denial of service for legitimate users, especially for employee emails or those critical to operations. Steps to Reproduce: 1. Login to the Application: o Attacker logs into their account on alwaysdata. 2. Access the "Add a User" Feature: o Navigate to the "Add a User" section. 3. Add Any Email Address: o Enter any target email (e.g., victim@alwaysdata.com, employee@alwaysdata.com, or database_admin@alwaysdata.com) and add it as a user. 4. Observe the Impact: o The entered email is stored in the database, associating it with the attacker’s account. o Legitimate users or employees attempting to register with their email or recover their account using "Forgot Password" are blocked as their emails are flagged as already registered. Business Impact: 1. Disruption of Operations: Employees using critical emails (e.g., employee@alwaysdata.com, support@alwaysdata.com) are prevented from accessing the platform. This can halt workflows and damage operational continuity. 2. Customer Impact: Legitimate customers with hijacked email registrations are blocked from using the platform, leading to frustration and loss of trust. 3. Potential Abuse: o Attacker could pre-register a large list of potential or known email addresses (e.g., 100+ victims). o Targeted denial of service campaigns against specific users or employees. 4. Reputational Damage: Affected users may view alwaysdata as insecure and prone to misuse. Severity: Moderate to High Remediation Steps: 1. Email Validation: Restrict the registration of emails ending with @alwaysdata.com to prevent abuse of employee addresses. 2. Duplicate Email Handling: Implement a verification mechanism to check if an email is legitimately registered to an account and ensure users can still register or recover their accounts. 3. Audit "Add a User" Logic: Validate and sanitize inputs to avoid unauthorized addition of unrelated or sensitive emails. 4. Email Ownership Verification: Mandate email verification for all newly added users before finalizing their association with an account. Video POC: A detailed POC has been attached showcasing the reproduction of this bug and its consequences. https://drive.google.com/file/d/1TBi7njRCCsqkHhAEri7viUmyGot1Pyf5/view?usp=sharing

~~106~~

Closed

~~Bug Report: Broken Access Control on 2FA Leading to Pre~~ ...

Task Description

Subject: Misconfiguration in 2FA Implementation Allows Pre-Complete ATO

To:
Security Team
alwaysdata

Description:
The lack of email verification before enabling Two-Factor Authentication (2FA) introduces a critical vulnerability that can facilitate pre-complete Account Takeover (ATO). An attacker can register email addresses resembling critical system accounts (e.g., administrator@alwaysdata.com or support@alwaysdata.com) without any validation.
This misconfiguration allows the attacker to appear as legitimate users or administrators by exploiting the following gaps:
1. Email Address Control:
The attacker registers administrator@alwaysdata.com (since admin@alwaysdata.com is already in use) or similar critical addresses such as support@alwaysdata.com. This bypass occurs because the application does not verify email ownership before enabling 2FA.
2. Pre-Complete ATO via 2FA:
Once the attacker controls the fake email, they enable 2FA. This results in the following:
- The email becomes "locked" for the attacker's use.
- Real administrators or support users cannot register or regain control of these emails.
- Critical accounts, if assumed to be associated with internal roles, are exploited for phishing or denial of service.
This oversight compromises account security and can lead to severe operational and reputational risks for alwaysdata.

Steps to Reproduce:
1. Register as a New User:
- Create a new account with an email resembling a sensitive system role (e.g., administrator@alwaysdata.com or support@alwaysdata.com).
2. Set Up 2FA on the Account:
- Enable Two-Factor Authentication without any email ownership verification.
3. Observe the Impact:
- The attacker now controls a seemingly legitimate account.
- Real users or employees attempting to register or recover accounts with these emails are blocked.
4. Potential Exploit:
- Use the compromised "fake admin" email to trick other users or employees.
- Execute phishing attacks or leverage the fake email for social engineering attempts.

Business Impact:
1. Operational Risk:
- Legitimate users or employees are unable to access critical accounts (e.g., admin@alwaysdata.com or support@alwaysdata.com).
- This could lead to service disruptions and hinder internal workflows.
2. Security Risks:
- Attackers can impersonate sensitive roles and deceive users or employees.
- Creates opportunities for phishing, fraud, and social engineering attacks.
3. Reputational Damage:
- Users and employees may lose trust in alwaysdata due to perceived weak account protection mechanisms.
4. Pre-Complete ATO:
- Attacker gains control of accounts with system-level trust (e.g., admin-like emails) without the ability of real users to regain access.

Severity:
High

Remediation Steps:
1. Mandate Email Verification:
Require all email addresses to be verified during registration and before enabling 2FA.
2. Restrict Critical Email Formats:
Disallow registrations with email addresses resembling sensitive roles (e.g., admin, administrator, support).
3. Enforce Ownership Validation:
Implement strict validation to ensure that users can only enable 2FA on accounts they genuinely own.
4. Audit Existing Accounts:
Identify and rectify any unverified accounts with potentially sensitive email addresses.

Video POC:
A detailed demonstration of the exploit steps is attached to this report to illustrate the issue clearly.
https://drive.google.com/file/d/17DNkoihfOW7jyMoY_eWMGNiigNY4Zmo7/view?usp=sharing

~~104~~

Closed

~~Bug Report: Vulnerability in User Addition Feature Lead~~ ...

Task Description

Bug Report: Vulnerability in User Addition Feature Leading to Email Blockage Exploit

Subject: Misconfiguration in User Addition Feature - Enables Permanent Blockage of Employee/User Emails

To:
Security Team
alwaysdata

Description:
The "Add a User" feature in your application has a critical misconfiguration that allows attackers to exploit email handling mechanisms. The vulnerability permits any email address, including sensitive ones like victim@alwaysdata.com or employee@alwaysdata.com, to be registered by an attacker under their account. This issue occurs irrespective of whether the victim is an actual user or employee of alwaysdata.
Key Problem:
Once an attacker registers email addresses to their account, the application erroneously considers these emails as "already in use." Consequently, legitimate users or employees are unable to:
• Register with their own email addresses.
• Recover passwords using the "Forgot Password" feature.
This creates a significant denial of service for legitimate users, especially for employee emails or those critical to operations.

Steps to Reproduce:
1. Login to the Application:
o Attacker logs into their account on alwaysdata.
2. Access the "Add a User" Feature:
o Navigate to the "Add a User" section.
3. Add Any Email Address:
o Enter any target email (e.g., victim@alwaysdata.com, employee@alwaysdata.com, or database_admin@alwaysdata.com) and add it as a user.
4. Observe the Impact:
o The entered email is stored in the database, associating it with the attacker’s account.
o Legitimate users or employees attempting to register with their email or recover their account using "Forgot Password" are blocked as their emails are flagged as already registered.

Business Impact:
1. Disruption of Operations:
Employees using critical emails (e.g., employee@alwaysdata.com, support@alwaysdata.com) are prevented from accessing the platform. This can halt workflows and damage operational continuity.
2. Customer Impact:
Legitimate customers with hijacked email registrations are blocked from using the platform, leading to frustration and loss of trust.
3. Potential Abuse:
o Attacker could pre-register a large list of potential or known email addresses (e.g., 100+ victims).
o Targeted denial of service campaigns against specific users or employees.
4. Reputational Damage:
Affected users may view alwaysdata as insecure and prone to misuse.

Severity:
Moderate to High

Remediation Steps:
1. Email Validation:
Restrict the registration of emails ending with @alwaysdata.com to prevent abuse of employee addresses.
2. Duplicate Email Handling:
Implement a verification mechanism to check if an email is legitimately registered to an account and ensure users can still register or recover their accounts.
3. Audit "Add a User" Logic:
Validate and sanitize inputs to avoid unauthorized addition of unrelated or sensitive emails.
4. Email Ownership Verification:
Mandate email verification for all newly added users before finalizing their association with an account.

Video POC:
A detailed POC has been attached showcasing the reproduction of this bug and its consequences.
https://drive.google.com/file/d/1TBi7njRCCsqkHhAEri7viUmyGot1Pyf5/view?usp=sharing

Showing tasks 1 - 2 of 2 Page 1 of 1

All Projects

Available keyboard shortcuts

Tasklist

Task Details

Task Editing