-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathInsecure Account Deletion
26 lines (18 loc) · 1.01 KB
/
Insecure Account Deletion
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Hello Team,
There is an insecure account deletion Issue.
Exploit Scenario:
1.The user logins into his account on a shared computer like offices, café, library etc,
2.By mistake, the user left the account open.
3.Attacker came and found account open on shared device. Attacker tries to delete the user's account
4.Attacker can easily delete the account because the system did not ask for any user authentication prior to the execution of this sensitive action.
Steps to reproduce:
(CHANGE AS PER YOUR DOMAIN).
1.Go to account setting.
2.Go to delete account
3.Type DELETE and click go!
(If your account is deleted without any password/user confirmation then this is an Insecure account deletion vulnerability)
Mitigation:
Use re-authentication so when anyone/user is deleting the account, they would be asked to input password before the deletion of account. This will ensure that a legit user is attempting to delete account.
Let us know if you need more information.
I have attached PoC for your ready reference.
Thank you.