bichhawat
commented
3 weeks ago The card file seems to be ignored as the manipulation happens on the correct account as seen in the output. This is not a security bug but could be a functionality bug.
Closed PrateekG93 closed 3 weeks ago
bichhawat
commented
3 weeks ago The card file seems to be ignored as the manipulation happens on the correct account as seen in the output. This is not a security bug but could be a functionality bug.
There is a critical flaw in the account handling and card file verification system. When creating an account, a corresponding card file (e.g., alice6.card for account alice6) is generated. However, it has been observed that actions intended for alice7 can be performed using the card file of alice6, which implies that the system does not correctly verify or restrict operations based on the card file associated with each account.
The system does not enforce the uniqueness of card files per account, allowing any card file to be used for any account, provided the card file exists. This means that an attacker with access to any single card file could potentially access and manipulate other accounts.
Each account should be exclusively accessible with its corresponding card file. For example, only alice7.card should authorize access to alice7's account, and alice6.card should only authorize access to alice6's account.