Insecure Account Deletion - IAD - Tutorial Boy -->

Insecure Account Deletion - IAD

 Hello Team,

There is an insecure account deletion Issue.

Exploit Scenario:

  1. The user logins into his account on a shared computer like offices, café, library, etc,
  2. By mistake, the user left the account open.
  3. The attacker came and found the account open on a shared device. The attacker tries to delete the user's account
  4. The attacker can easily delete the account because the system did not ask for any user authentication prior to the execution of this sensitive action.

Steps to reproduce:

(CHANGE AS PER YOUR DOMAIN).
  1. Go to Account setting.
  2. Go to delete the account
  3. Type DELETE and click go!

(If your account is deleted without any password/user confirmation then this is an Insecure account deletion vulnerability)

Mitigation:

Use re-authentication so when anyone/user is deleting the account, they would be asked to input a password before the deletion of the account. This will ensure that a legit user is attempting to delete an account.


Let us know if you need more information.

I have attached PoC for your ready reference.

Thank you.