๐Ÿ› ๏ธ Account deletion

Theory

Removing an account is a sensitive action that should be taken into consideration.

Practice

Some protection mechanisms should be incorporated:
  1. 1.
    Protection: when deleting an account, the web application should request the user to submit its credentials (it can prevent attacks such CSRF, XSS...).

References

Liberapay disclosed on HackerOne: Insecure Account Deletion
HackerOne
#BugBounty โ€” How I was able to delete anyoneโ€™s account in an Online Car Rental Company
Medium
Last modified 2mo ago
Copy link