Informational Bug Bounty in Indeed.com

Website: https://indeed.com


Vulnerability Name: Lack of Password confirmation on account deletion


Severity: P5


Vulnerable URL: https://secure.indeed.com/account/view


Payload used: No Payload used

How to reproduce this issue?

I created an account then go to settings on the right tab where I find account option and then I clicked on it and find an option of close my account. When I clicked on it, it doesn't ask me for the password.




Impact:

This can be harmful as if by chance user forgets to logout from their account on a public computer anyone can delete their account without any permission required.

Remediation:


Developer should setup a password on the account deletion so that only the authorized user can delete it.


PS: This was resolved by indeed.com after reporting this informational vulnerability.

18 views0 comments