Non-Deletable Co-Admin Due To Change Name Functionality
Hey Users….
I Found Something Unusual While I Was Working With username.bime.io
I Noticed When An Admin Adds A New Admin Lets Name Him X .
So After Creating A New User Admin Can Delete The User X At Any Moment Of Time.
But If The User X Changes His Name To {{ javascript }} Admin Won’t Be Able To Delete Him As An User Until Unless He Changes Name Of The User X.
I Found It Pretty Unusual.
He Can Have Access Till The Moment He Wants And The Admin Cant Do Anything Until He Changes His Name.
Steps To Repro
1) Create A New User With Your Desired Privilege.
2) Now Login With The New User’s Account And Change His Name To {{ javascript }}
3) Now From The Admin Account Try Deleting The New User With The New Name i.e {{ javascript }}
Conclusion: You Can’t Delete That User.
How Does This Poses A Security Risk?
Even After The Willing Wish Of The Admin To Delete The New User That He Created He Cannot Delete Him And The User Have Access To A Very Long Period Of Time Till The Moment Admin Realize To Change His Name.
Video POC:
Let Me Know If You Need Anything Regarding It.
Thanks for reading!!!!
