The profile can be made irrecoverable when the maxNumberOfAddresses is reached as well, causing the original user being unable to try the same tactic to recover his/her account.
Root Cause
The root cause is that anyone can register an address attached to any profile ID, A mechanism where registering address, requires the approval of any existing addresses associated with the profile will solve this issue.
Internal pre-conditions
maxNumberOfAddresses of profile id is not reached yet allowing others to register addresses to the profile id.
External pre-conditions
No response
Attack Path
Attacker registers his own address to the target profile id
Attacker deletes every other address associated with the profile except his
If the maxNumberOfAddresses hasn't reached already, attacker exhausts this by registering more addresses.
Impact
Full Account takeover of any target
PoC
No response
Mitigation
Have approval-based additions of new registered addresses to the profile id where existing addresses approve the new registering address to the profile id.
ajayss
High
Anyone can deleteAddressAtIndex() after registerAddress() to a random profile taking over the account.
Summary
The key of the issue lies in the fact that anyone can
registerAddressto any profile Id they want provided it has enoughmaxAddressesleft.Then after registering the address, they can use this address to delete legitimate addresses that were owned by the original user of the profile id
Deleting, Registering
The profile can be made irrecoverable when the
maxNumberOfAddressesis reached as well, causing the original user being unable to try the same tactic to recover his/her account.Root Cause
The root cause is that anyone can register an address attached to any profile ID, A mechanism where registering address, requires the approval of any existing addresses associated with the profile will solve this issue.
Internal pre-conditions
maxNumberOfAddressesof profile id is not reached yet allowing others to register addresses to the profile id.External pre-conditions
No response
Attack Path
maxNumberOfAddresseshasn't reached already, attacker exhausts this by registering more addresses.Impact
Full Account takeover of any target
PoC
No response
Mitigation
Have approval-based additions of new registered addresses to the profile id where existing addresses approve the new registering address to the profile id.