Insecure Account Removal

Overview of the Vulnerability:

The removal of account is one of the sensitive part of a web application that needs to protect, therefor removing an account should validate the authenticity of the legitimate user, however i have found that when removing an account, the system did not require the user to input the account password.

Steps:

1. The user logins to a shared computer (office, library, cafe)
2. Left the account open.
3. Intruder came and try to delete the users account
4. Intruder can easily delete the account because the system did not protect it by asking the password to validate that the person deleting the account is the legitimate user.

Impact:

1. Loss of User Data: Permanent deletion of important user information.
2. Reputational Damage: Loss of user trust and potential negative publicity.
3. Security Breach: Easy exploitation by unauthorized individuals.
4. User Inconvenience: Difficulty in account recovery, leading to user frustration.
5. Legal Issues: Potential violations of data protection laws like GDPR or CCPA.