- userA has an account on serverA
- userA enables passwordless login (webauthn) and registers a key/device
- userA is removed from the system
- a new user comes along and gets assigned userA as id
- the old userA tries to login with their key
- the old userA can see all data of the new userA
Impact
This can lead to an unauthorized actor gaining full access to the data of another user.
As suggested in https://hackerone.com/reports/1200700 a blocklist of old userids would help here. However the data should all be cleaned up as well of course!