Non-Deletable Co-Admin Due To Change Name Functionality

Hey Users….
I Found Something Unusual While I Was Working With
I Noticed When An Admin Adds A New Admin Lets Name Him X .
So After Creating A New User Admin Can Delete The User X At Any Moment Of Time.
But If The User X Changes His Name To {{ javascript }} Admin Won’t Be Able To Delete Him As An User Until Unless He Changes Name Of The User X.
I Found It Pretty Unusual.
He Can Have Access Till The Moment He Wants And The Admin Cant Do Anything Until He Changes His Name.

Steps To Repro
1) Create A New User With Your Desired Privilege.
2) Now Login With The New User’s Account And Change His Name To {{ javascript }}
3) Now From The Admin Account Try Deleting The New User With The New Name i.e {{ javascript }}
Conclusion: You Can’t Delete That User.

How Does This Poses A Security Risk?

Even After The Willing Wish Of The Admin To Delete The New User That He Created He Cannot Delete Him And The User Have Access To A Very Long Period Of Time Till The Moment Admin Realize To Change His Name.

Video POC:

Let Me Know If You Need Anything Regarding It.

Thanks for reading!!!!

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *