Discovering a Critical Vulnerability in application : The Journey of an Accidental Admin

Adarsh Kumar
3 min readJun 6, 2024

--

Date: June 6, 2024

In the ever-evolving world of cybersecurity, every day brings new challenges and discoveries. As a security researcher, my mission is to uncover vulnerabilities before they can be exploited by malicious actors. Recently, I stumbled upon a critical flaw in a application that underscores the importance of robust access controls. Here’s the story of how I became an accidental admin and the steps needed to secure the system.

The Discovery

Bug Title: Unauthorized Access to Dashboard Without Administrator Approval
CVSS v4.0 Score: 9.3 / Critical
URL: https://example.com

The vulnerability in question allows users to access application’s administrative dashboard without the necessary approvals. Essentially, anyone could become an admin and gain access to sensitive information and functionalities meant only for authorized personnel.

The Journey Begins

It all started with a routine exploration. I decided to sign up for a new account on application to better understand its functionality. Here’s how the discovery unfolded:

Creating an Account:

Logging In:

  • Using my new credentials, I logged in at https://example.com/login/.
  • Upon login, I encountered a 403 error page indicating that I needed to contact an administrator to approve my account.
Access Denied

Exploring the Site:

  • My curiosity led me to the site’s robots.txt file at https://example.com/robots.txt. This file is typically used to guide search engine crawlers and prevent them from overloading the site with requests.
robots.txt
  • The robots.txt file revealed several URLs, sparking my curiosity further. I began testing these URLs and, to my surprise, discovered that I could access administrative pages without any approval. This was a clear case of Broken Access Control, a critical security flaw.

The Implications

The implications of this vulnerability are severe. Here’s what unauthorized users could do:

  • Access Sensitive Information: Confidential data intended only for administrators could be exposed.
  • Manipulate Data: Unauthorized users could alter or delete data, leading to potential data breaches.
  • Perform Administrative Actions: Actions meant only for administrators could be executed by anyone, posing significant security risks.

A Closer Look at the Affected Components

  • Login Functionality: The system fails to differentiate between regular users and administrators during login.
  • Dashboard Access Control: There are no proper checks to ensure that only authorized users can access the dashboard.

Addressing the Vulnerability

To safeguard application from such critical vulnerabilities, here are the recommended steps:

Implement Robust Access Controls:

  • Ensure that access to the dashboard is restricted based on user roles and permissions.

Restrict Administrative Actions:

  • Only authorized administrators should be able to perform sensitive actions.

Approval Workflow:

  • Introduce a thorough approval process for users requesting administrative access.

Regular Audits:

  • Conduct regular audits of access controls to identify and address similar vulnerabilities.

The Technical Environment

For those interested in the technical details, here’s the environment in which the vulnerability was discovered:

  • Operating System: Windows 11 Home Single Language
  • Version/Build: 22H2
  • OS Build: 22621.3235
  • Browser/Client: Firefox Nightly
  • Version/Build: Version 125.0a1 (2024–03–17) (64-bit)

Final Thoughts

Uncovering this vulnerability was a stark reminder of the importance of diligent security practices. It’s crucial for developers to implement stringent access controls to protect sensitive data and functionalities. As a security researcher, I hope this discovery serves as a wake-up call for improving security measures.

Reported By:
Adarsh Kumar (aka @adarshkrdubay)
Stay safe and secure your digital spaces. Until next time!

If you enjoyed this story and want to read more about my cybersecurity adventures, follow me on Medium and stay tuned for future posts!

--

--

Adarsh Kumar

I'm Adarsh. Cyber-security student,CTF player . Team TheWiz( @thewizx01 )