swauth: illegally obtaining reseller admin credentials via GET v2/account/user call
Asked by
Rostik Slipetskyy
In swauth user acting as .admin for some account can retrieve data for any user that belong to that account. If it happens that reseller admin is registered in the given account, malicious admin can obtain credentials of .reseller_admin via GET v2/account/
It looks like common/
1) .super_admin and .reseller_admin can get info for any user
2) .admin can get info for all users that are not .reseller_admins
Does it make sense?
Question information
- Language:
- English Edit question
- Status:
- Answered
- Assignee:
- No assignee Edit question
- Last query:
- Last reply:
Can you help with this problem?
Provide an answer of your own, or ask Rostik Slipetskyy for more information if necessary.
To post a message you must log in.