Insecure Business Logic - Client Side Enforcement Bypass on User Account Deletion in answerdev/answer


Reported on

Feb 22nd 2023


The application enforces account deletion on the client-side with a popup that states the admin account cannot be deleted. Additionally, regular users do not have an option in the interface to delete their own account.

An administrative and regular-privileged user are able to bypass this restriction by intercepting the request and executing it through Burp Repeater. See screenshot evidence of this vulnerability here -

Proof of Concept

PUT /answer/admin/api/user/status HTTP/1.1
Content-Length: 46
Accept-Language: en_US
Authorization: 205834a8-b25a-11ed-99de-0242ac110002
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Content-Type: application/json
Accept: */*
Accept-Encoding: gzip, deflate
Connection: close
Cache-Control: no-transform



HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Date: Wed, 22 Feb 2023 02:51:43 GMT
Content-Length: 65
Connection: close



The utilization of client-side enforcement of user actions allows for users to modify requests in transit from the browser to the server. In the case of this vulnerability, the deletion of an account by a user appears to be against the logic of the application as the primary admin is restricted, and a regular user is not given the option to do so.

Deletion of the primary administrator account restricts complete access to the control of the application if no other administrative account is created and present.


This is probably not the correct location in the code, but was where I could find some of the handling for user account status modifiers.

We are processing your report and will contact the answerdev/answer team within 24 hours. 9 months ago
A GitHub Issue asking the maintainers to create a exists 9 months ago
We have contacted a member of the answerdev/answer team and are waiting to hear back 9 months ago
joyqi validated this vulnerability 9 months ago
Joe Helle has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
joyqi marked this as fixed in 1.0.6 with commit 4ca242 9 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
joyqi published this vulnerability 9 months ago
backyard_user_schema.go#L8 has been validated
to join this conversation