Jump to content

Insecure Account Deletion

Recommended Posts

Hi Team, The removal of account is one of the sensitive part of a web application that needs to protect, therefore removing an account should validate the authenticity of the user, however i have found that when removing an account, the system did not require the user to input the account password. Steps to reproduce:
1.go to Fiverr - Freelance Services Marketplace  and login to your account.
2.go to profile/settings.
3.you'll see the "deactivate account" button.
4.press that button and you'll be successfully deleted your account. Mitigation: Put reauthentication when anyone/user is deleting an account, ask the user to input password before the completion of the account deletion. Let me know if you need more information.


Exploit Scenario: 1.The user logins to a shared computer (office, library, cafe)
2.Left the account open.
3.Intruder came and try to delete the users account
4.Intruder can easily delete the account because the system did not protect it by asking the password to validate that the person deleting the account is the real user.
Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in

Sign In Now
  • Create New...