How I Deleted Any User’s Account— No Interaction Needed
1 min read
Summary
Ethical hacker Ehteshamul Haq has explained how he was able to delete a user’s entire account from target.
Haq discovered that the login endpoint on the target site allowed for unlimited login attempts, meaning he could use a brute-force attack to gain entry to any account.
From there, he discovered that the account deletion function was insecure, allowing him to delete any account on the site without any kind of verification.
The vulnerability has now been fixed, but Haq said the discovery highlighted how even simple vulnerabilities can lead to catastrophic impact if left unchecked.
He said that the attack could have been mitigated by implementing rate limiting and further validation upon account deletion.