Issue Description
Reported by: Vikash Gupta
Severity: High
Category: Authentication / Authorization / Business Logic / Insecure Account Management
Summary
The account deletion flow allows a user (or an attacker who can trigger the request) to delete an account without requiring the current password, re-authentication, or strong secondary verification (MFA/OTP). Because deletion is a destructive, high-impact operation, the absence of password confirmation enables account takeover, denial-of-service against users, data loss, and abuse via CSRF/parameter tampering or session theft.
Steps to Reproduce
STEP TO REPRODUCED
1- Go to URL :- https://app.documenso.com/signin
2- Login & Go to profile & You see delete account
2- Click on Delete Account & All data
BOOOM! Account delete without authentication !!
Impact
Expected Behavior
🗑️ Unauthorized Account Deletion / Denial-of-Service: An attacker who obtains a session, forges a request, or tampers with parameters (or even uses CSRF) can permanently delete a user’s account.
🔐 Account Takeover Facilitation: Deleting an account may be used as a cleanup step by attackers after takeover or as a step to block recovery for the legitimate owner.
📉 Permanent Data Loss: User data (profiles, content, billing history) may be irreversibly removed if deletion is immediate and hard-deletes data.
⚖️ Compliance & Legal Risk: Inconsistent deletion processes can conflict with regulated data-retention or erasure policies (GDPR — but also must be able to prove proper consent/authorization for deletion).
🔁 Operational Overhead: High support burden for manual restores, investigations, and remediation after unauthorized deletions.
🧩 Trust & Reputation Damage: Users expect destructive actions to require strong proofs; lack of it undermines platform trust.
Business Impact
💼 Customer Churn / Business Disruption: Loss of user data and inability to recover accounts lead to churn and potential SLA violations.
💸 Financial Exposure: Deletion of billing or contract records may cause billing disputes, refunds, or revenue impact.
⚖️ Regulatory Exposure: Improper deletion authorization or evidence of negligent controls could trigger regulatory action or fines.
🛠️ Support & Engineering Cost: Manual account recovery, incident response, and root-cause fixes increase operational costs.
🔍 Public Relations Risk: High-profile or repeated incidents can damage brand reputation and user confidence.
CVSS v3.1 (recommended)
Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Score: 8.8 — High
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Rationale: Network-exploitable destructive action with no re-authentication. Results in high confidentiality/integrity/availability impact for affected accounts.
Root Cause (likely)
Current Behavior
Deletion endpoint trusts an authenticated session or token without checking session freshness or requiring password re-entry.
Lack of server-side re-authentication, MFA, or secondary confirmation for destructive operations.
Endpoint may accept unauthenticated or poorly validated requests (susceptible to CSRF or parameter tampering).
Missing or weak audit/logging and lack of a safe "pending deletion" workflow (hard delete applied immediately).
UI-only protections without corresponding server-side checks; relying on client behavior for security.
Recommended Remediation (High priority)
Require Re-Authentication (Password) Before Deletion
Always require the current password (or an equivalent recent authentication) to perform account deletion. Treat deletion as a privileged action.
Enforce Strong Secondary Verification for High-Risk Accounts
For accounts with elevated access or sensitive data, require MFA confirmation (OTP, authenticator) before allowing deletion.
Use a Pending Deletion Workflow (Soft-Delete + Grace Period)
Mark accounts as pending_deletion and delay irreversible deletion (e.g., 7–30 days). During the grace period allow easy self-restore and notify the old email.
Confirm via Existing Email & Provide Cancel Option
Send an explicit email to the account owner (current email) with a secure cancel/revert link and only finalize deletion after confirmation or after expiry of the grace period.
Protect Endpoints from CSRF & Parameter Tampering
Ensure deletion endpoints require CSRF tokens, use SameSite cookies, and validate request origin/Referer. Reject requests containing unexpected parameters.
Enforce Endpoint-Level Authorization & Freshness
Check session age and require recent authentication (reauth) or token freshness for destructive actions. Reject stale sessions.
Log, Audit & Alert
Log deletion initiation requests, confirmations, IPs, user agents, and outcome. Alert on suspicious patterns (multiple deletions from same IP, mass deletions).
Require Human Review for High-Risk Cases
For enterprise/admin accounts or bulk-deletion requests, require manual review or secondary approval.
Provide Clear UX & Explicit Warnings
Make the deletion flow explicit, require typed confirmation (e.g., enter email or “DELETE”), and show consequences clearly.
Implement Recovery & Forensics Procedures
Ensure backups and procedures exist to recover accidentally or maliciously deleted data; maintain audit trails for forensic analysis.
Conclusion
Allowing account deletion without password confirmation is a serious security and business risk: it permits unauthorized destructive actions, data loss, and potential cover-up after account takeover. Implement re-authentication, strong verification, soft-delete with grace periods, CSRF protections, and thorough logging immediately to mitigate risk and protect user data.
Reported by: Vikash Gupta
Screenshots (optional)
Operating System [e.g., Windows 10]
1
Browser [e.g., Chrome, Firefox]
firefox
Version [e.g., 2.0.1]
1
Please check the boxes that apply to this issue report.
Issue Description
Reported by: Vikash Gupta
Severity: High
Category: Authentication / Authorization / Business Logic / Insecure Account Management
Summary
The account deletion flow allows a user (or an attacker who can trigger the request) to delete an account without requiring the current password, re-authentication, or strong secondary verification (MFA/OTP). Because deletion is a destructive, high-impact operation, the absence of password confirmation enables account takeover, denial-of-service against users, data loss, and abuse via CSRF/parameter tampering or session theft.
Steps to Reproduce
STEP TO REPRODUCED
1- Go to URL :- https://app.documenso.com/signin
2- Login & Go to profile & You see delete account
2- Click on Delete Account & All data
BOOOM! Account delete without authentication !!
Impact
Expected Behavior
🗑️ Unauthorized Account Deletion / Denial-of-Service: An attacker who obtains a session, forges a request, or tampers with parameters (or even uses CSRF) can permanently delete a user’s account.
Business Impact
CVSS v3.1 (recommended)
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Rationale: Network-exploitable destructive action with no re-authentication. Results in high confidentiality/integrity/availability impact for affected accounts.
Root Cause (likely)
Current Behavior
Deletion endpoint trusts an authenticated session or token without checking session freshness or requiring password re-entry.
Recommended Remediation (High priority)
Conclusion
Allowing account deletion without password confirmation is a serious security and business risk: it permits unauthorized destructive actions, data loss, and potential cover-up after account takeover. Implement re-authentication, strong verification, soft-delete with grace periods, CSRF protections, and thorough logging immediately to mitigate risk and protect user data.
Reported by: Vikash Gupta
Screenshots (optional)
Operating System [e.g., Windows 10]
1
Browser [e.g., Chrome, Firefox]
firefox
Version [e.g., 2.0.1]
1
Please check the boxes that apply to this issue report.