Your help desk allows creating tickets by email. Which means the user can send an email to the NordVPN support email to a add a new ticket to his activities. So when you send an email to
email@example.com from your email address, this ticket will be created on the account that you have registered with the email.
Steps To Reproduce:
Navigate this page:
Try to click the Email button below.
- Try to fill up the form. See my attached photo.
- As you notice I am not Authorized User and has no account in NordVPN.
- Try to use the victim Email when deleting an account.
- Few hours later.
- The account of the victim was deleted successfully.
Victim 1 :
Victim 2 :
Note: The account was remove from the database
- Critical actions like changing email or close account should be verify by sending PIN code to user email and asks him to reply back the code again.
- The second fix and I don’t like is disable creating tickets via your support email for more security
- Sending a confirmation link when deleting an account
The Unauthorized User Can Delete Any User Account